Vassiliy Yegorov
aadfe767d3
All checks were successful
build, sign and push / build-and-sign (push) Successful in 35s
70 lines
2.0 KiB
YAML
70 lines
2.0 KiB
YAML
# .gitea/workflows/build-sign-push.yaml
|
|
name: build, sign and push
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
|
|
env:
|
|
REGISTRY: git.realmanual.ru
|
|
IMAGE: ${{ env.REGISTRY }}/${{ gitea.repository }}
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
jobs:
|
|
build-and-sign:
|
|
runs-on: ubuntu-22.04
|
|
container: catthehacker/ubuntu:act-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
|
|
- name: Read Version
|
|
id: version
|
|
run: echo "VERSION=$(cat image/VERSION)" >> $GITHUB_OUTPUT
|
|
|
|
- name: login to registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ gitea.actor }}
|
|
password: ${{ secrets.PUSH_TOKEN }}
|
|
|
|
- name: build and push
|
|
id: build
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: ./image
|
|
push: true
|
|
# тегируем и по SHA и по latest
|
|
tags: |
|
|
${{ env.IMAGE }}:${{ gitea.sha }}
|
|
${{ env.IMAGE }}:${{ steps.version.outputs.VERSION }}
|
|
# digest понадобится для подписи — по тегу подписывать нельзя
|
|
outputs: type=image,push=true
|
|
|
|
|
|
- name: sign image
|
|
env:
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
# digest в формате sha256:abc123...
|
|
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
|
|
run: |
|
|
cosign sign --yes \
|
|
--key env://COSIGN_PRIVATE_KEY \
|
|
${{ env.IMAGE }}@${IMAGE_DIGEST}
|
|
|
|
# --- verify (self-check в CI) ---
|
|
- name: verify signature
|
|
env:
|
|
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
|
|
run: |
|
|
cosign verify \
|
|
--key keys/cosign.pub \
|
|
${{ env.IMAGE }}@${IMAGE_DIGEST} |