73 lines
2.2 KiB
YAML
73 lines
2.2 KiB
YAML
# .gitea/workflows/build-sign-push.yaml
|
||
name: build, sign and push
|
||
|
||
on:
|
||
push:
|
||
branches: [main]
|
||
|
||
env:
|
||
REGISTRY: git.realmanual.ru
|
||
IMAGE: git.realmanual.ru/${{ gitea.repository }}
|
||
|
||
jobs:
|
||
build-and-sign:
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
|
||
steps:
|
||
- name: checkout
|
||
uses: actions/checkout@v4
|
||
# --- build ---
|
||
- name: set up docker buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
- name: Read Version
|
||
id: version
|
||
run: echo "VERSION=$(cat image/VERSION)" >> $GITHUB_OUTPUT
|
||
- name: login to registry
|
||
uses: docker/login-action@v3
|
||
with:
|
||
registry: ${{ env.REGISTRY }}
|
||
username: ${{ gitea.actor }}
|
||
password: ${{ secrets.PUSH_TOKEN }}
|
||
|
||
- name: build and push
|
||
id: build
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: ./image
|
||
push: true
|
||
# тегируем и по SHA и по latest
|
||
tags: |
|
||
${{ env.IMAGE }}:${{ gitea.sha }}
|
||
${{ env.IMAGE }}:${{ steps.version.outputs.VERSION }}
|
||
# digest понадобится для подписи — по тегу подписывать нельзя
|
||
outputs: type=image,push=true
|
||
|
||
# --- sign ---
|
||
# cosign надо ставить отдельно — в ubuntu-latest его нет
|
||
- name: install cosign
|
||
uses: sigstore/cosign-installer@v3
|
||
with:
|
||
cosign-release: 'v3.0.5'
|
||
|
||
- name: sign image
|
||
env:
|
||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||
# digest в формате sha256:abc123...
|
||
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
|
||
run: |
|
||
cosign sign --yes \
|
||
--key env://COSIGN_PRIVATE_KEY \
|
||
${{ env.IMAGE }}@${IMAGE_DIGEST}
|
||
|
||
# --- verify (self-check в CI) ---
|
||
- name: verify signature
|
||
env:
|
||
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
|
||
run: |
|
||
cosign verify \
|
||
--key cosign.pub \
|
||
${{ env.IMAGE }}@${IMAGE_DIGEST} |