fixed cosign on publish

This commit is contained in:
Jacob Payne
2022-08-10 08:30:16 -07:00
parent 509d4e5c9e
commit 53f1bfc534
2 changed files with 36 additions and 14 deletions

View File

@@ -20,12 +20,19 @@ jobs:
- v1.23.9+k3s1
- v1.22.11+k3s2
- v1.21.14+k3s1
env:
REGISTRY: quay.io
REGISTRY_USER: ${{ secrets.QUAY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
steps:
- uses: actions/checkout@v2
- uses: docker-practice/actions-setup-docker@master
- uses: earthly/actions-setup@v1
with:
version: "latest"
- run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- run: echo $REGISTRY_PASSWORD | docker login -u $REGISTRY_USER --password-stdin $REGISTRY
- run: env | grep ACTIONS_ID_TOKEN_REQUEST > .env
- run: env | grep REGISTRY >> .env
- run: earthly --ci --push +docker --K3S_VERSION=${{ matrix.k3s-version }} --BASE_IMAGE=${{ matrix.base-image }}
- run: earthly --ci +cosign --K3S_VERSION=${{ matrix.k3s-version }} --BASE_IMAGE=${{ matrix.base-image }}

View File

@@ -8,6 +8,11 @@ ARG LUET_VERSION=0.32.4
ARG GOLINT_VERSION=v1.46.2
ARG GOLANG_VERSION=1.18
ARG K3S_VERSION=latest
ARG BASE_IMAGE_NAME=$(echo $BASE_IMAGE | grep -o [^/]*: | rev | cut -c2- | rev)
ARG BASE_IMAGE_TAG=$(echo $BASE_IMAGE | grep -o :.* | cut -c2-)
ARG K3S_VERSION_TAG=$(echo $K3S_VERSION | sed s/+/-/)
build-cosign:
FROM gcr.io/projectsigstore/cosign:v1.9.0
SAVE ARTIFACT /ko-app/cosign cosign
@@ -54,11 +59,6 @@ lint:
RUN golangci-lint run
docker:
ARG K3S_VERSION=latest
ARG BASE_IMAGE_NAME=$(echo $BASE_IMAGE | grep -o [^/]*: | rev | cut -c2- | rev)
ARG BASE_IMAGE_TAG=$(echo $BASE_IMAGE | grep -o :.* | cut -c2-)
ARG K3S_VERSION_TAG=$(echo $K3S_VERSION | sed s/+/-/)
DO +VERSION
ARG VERSION=$(cat VERSION)
@@ -89,15 +89,30 @@ docker:
SAVE IMAGE --push $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}_${VERSION}
cosign:
ARG GITHUB_TOKEN
ARG --required ACTIONS_ID_TOKEN_REQUEST_TOKEN
ARG --required ACTIONS_ID_TOKEN_REQUEST_URL
FROM alpine
ARG --required REGISTRY
ARG --required REGISTRY_USER
ARG --required REGISTRY_PASSWORD
DO +VERSION
ARG VERSION=$(cat VERSION)
FROM docker
ENV ACTIONS_ID_TOKEN_REQUEST_TOKEN=${ACTIONS_ID_TOKEN_REQUEST_TOKEN}
ENV ACTIONS_ID_TOKEN_REQUEST_URL=${ACTIONS_ID_TOKEN_REQUEST_URL}
ENV REGISTRY=${REGISTRY}
ENV REGISTRY_USER=${REGISTRY_USER}
ENV REGISTRY_PASSWORD=${REGISTRY_PASSWORD}
ENV COSIGN_EXPERIMENTAL=1
COPY +build-cosign/cosign /usr/local/bin/
ENV GITHUB_TOKEN=${GITHUB_TOKEN}
ENV COSIGN_EXPERIMENTAL=true
RUN echo $REGISTRY_PASSWORD | docker login -u $REGISTRY_USER --password-stdin $REGISTRY
RUN cosign sign +docker/$IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}
RUN cosign sign +docker/$IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}
RUN cosign sign +docker/$IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}_${VERSION}
RUN cosign sign $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}
RUN cosign sign $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}
RUN cosign sign $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}_${VERSION}