diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml index d0e0c26..a36c7e5 100644 --- a/.github/workflows/build_ci_multi.yml +++ b/.github/workflows/build_ci_multi.yml @@ -17,16 +17,7 @@ jobs: name: 'Verify credentials' runs-on: 'ubuntu-latest' steps: - # upside: it logs out and aims to delete creds ~/.docker/config.json - # downside: extra dependency, uses -p instead of --password-stdin - - name: 'login ghcr.io (actor, via action)' - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 - with: - username: '${{ github.actor }}' - password: '${{ secrets.GITHUB_TOKEN }}' - registry: 'ghcr.io/${{ github.repository_owner }}' - - - name: 'login ghcr.io (actor, direct)' + - name: 'login ghcr.io (actor)' env: REGISTRY_USER: '${{ github.actor }}' REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' @@ -36,16 +27,15 @@ jobs: docker --version echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" - - name: 'login ghcr.io (repo owner, direct)' + - name: 'login ghcr.io (repo owner)' env: REGISTRY_USER: '${{ github.repository_owner }}' REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}' run: | podman --version - echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}" + echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" docker --version - echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}" + echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" verify_secrets_registries: name: 'Verify credentials (docker hub, quay)' @@ -80,15 +70,17 @@ jobs: sudo apt-get -o Dpkg::Use-Pty=0 install -y \ qemu-user-static buildah less git make podman clamav clamav-freshclam + - name: 'install prereqs' + run: /home/linuxbrew/.linuxbrew/bin/brew install cosign grype trivy + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false + - name: 'build multi image' run: buildah unshare make branch_or_ref=master release_tag=master multibuild - name: 'test image' run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test - - name: 'install scan prereqs' - run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy - name: 'security scan image' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml index d93ab84..56fa22e 100644 --- a/.github/workflows/build_latest_release_multi.yml +++ b/.github/workflows/build_latest_release_multi.yml @@ -18,26 +18,6 @@ jobs: permissions: packages: write # To create/update container on ghcr.io steps: - - name: 'login ghcr.io' - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 - with: - username: '${{ github.actor }}' - password: '${{ secrets.GITHUB_TOKEN }}' - registry: 'ghcr.io/${{ github.repository_owner }}' - - name: 'login docker hub' - env: - DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' - DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' - run: | - echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io - echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin - - name: 'login quay.io' - env: - QUAY_USER: '${{ secrets.QUAY_USER }}' - QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' - run: | - echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io - echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io - name: 'install dev deps' run: | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list @@ -45,10 +25,12 @@ jobs: sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install -y \ qemu-user-static buildah less git make podman clamav clamav-freshclam + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false tag_name: ${{ github.ref }} + - name: 'set env vars' run: | release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null) @@ -57,71 +39,109 @@ jobs: rel=${latest_release_ref:5} release_image_tag="${rel//_/.}" echo "REL=$release_image_tag" >> "$GITHUB_ENV" + + - name: 'install prereqs' + run: /home/linuxbrew/.linuxbrew/bin/brew install cosign grype trivy + - name: 'build multi image' run: buildah unshare make branch_or_ref="$TAG_REF" release_tag="$REL" multibuild - name: 'test image' run: buildah unshare make dist_name=localhost/curl-multi release_tag="$REL" test - - name: 'install scan prereqs' - run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy - name: 'security scan image' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" make image_name=localhost/curl-multi:"$REL" scan + + - name: 'login ghcr.io' + env: + REGISTRY_USER: '${{ github.actor }}' + REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + run: | + echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" + - name: 'push images to github registry' run: | - buildah manifest push --format v2s2 --all curl-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-multi:"$REL" + buildah manifest push --format v2s2 --all curl-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-multi:"$REL" buildah manifest push --format v2s2 --all curl-base-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-base-multi:"$REL" - - name: 'install Cosign' - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: 'sign images with sigstore key' env: COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-multi:"$REL" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-base-multi:"$REL" + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:"$REL" cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:"$REL" + + - name: 'login docker hub' + env: + DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' + DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' + run: | + echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io + echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin + - name: 'push release to docker hub' run: | - buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:"$REL" - buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:latest + buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:"$REL" + buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:latest buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://docker.io/curlimages/curl-base:"$REL" buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://docker.io/curlimages/curl-base:latest + - name: 'sign images with a sigstore key' env: COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl:"$REL" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl:latest echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl-base:"$REL" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl-base:latest + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub docker.io/curlimages/curl:"$REL" cosign verify --key cosign.pub docker.io/curlimages/curl:latest cosign verify --key cosign.pub docker.io/curlimages/curl-base:"$REL" cosign verify --key cosign.pub docker.io/curlimages/curl-base:latest + + - name: 'login quay.io' + env: + QUAY_USER: '${{ secrets.QUAY_USER }}' + QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' + run: | + echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io + echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io + - name: 'push release to quay.io' run: | - buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:"$REL" - buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:latest + buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:"$REL" + buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:latest buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://quay.io/curl/curl-base:"$REL" buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://quay.io/curl/curl-base:latest + - name: 'sign images with a sigstore key' env: COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl:"$REL" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl:latest echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl-base:"$REL" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl-base:latest + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub quay.io/curl/curl:"$REL" cosign verify --key cosign.pub quay.io/curl/curl:latest cosign verify --key cosign.pub quay.io/curl/curl-base:"$REL" diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 7a513a6..5b5d1a7 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -21,26 +21,6 @@ jobs: permissions: packages: write # To create/update container on ghcr.io steps: - - name: 'login ghcr.io' - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 - with: - username: '${{ github.actor }}' - password: '${{ secrets.GITHUB_TOKEN }}' - registry: 'ghcr.io/${{ github.repository_owner }}' - - name: 'login docker hub' - env: - DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' - DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' - run: | - echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io - echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin - - name: 'login quay.io' - env: - QUAY_USER: '${{ secrets.QUAY_USER }}' - QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' - run: | - echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io - echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io - name: 'install dev deps' run: | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list @@ -48,37 +28,50 @@ jobs: sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install -y \ qemu-user-static buildah less git make podman clamav clamav-freshclam + + - name: 'install prereqs' + run: /home/linuxbrew/.linuxbrew/bin/brew install cosign grype trivy + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false ref: 'main' + - name: 'build master images' run: buildah unshare make branch_or_ref=master release_tag=master build_ref_images - name: 'test image' run: buildah unshare make dist_name=localhost/curl release_tag=master test - - name: 'install scan prereqs' - run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy - name: 'security scan image' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" make image_name=localhost/curl:master scan + + - name: 'login ghcr.io' + env: + REGISTRY_USER: '${{ github.actor }}' + REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + run: | + echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" + - name: 'push images to github registry' run: | - buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master" + buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master" buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master" - buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master" - - name: 'install Cosign' - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master" + - name: 'sign image with a key' env: COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev:master echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-base:master echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl:master + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base:master cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml index 69bccd8..0e38da1 100644 --- a/.github/workflows/build_master_dev.yml +++ b/.github/workflows/build_master_dev.yml @@ -22,26 +22,6 @@ jobs: permissions: packages: write # To create/update container on ghcr.io steps: - - name: 'login ghcr.io' - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 - with: - username: '${{ github.actor }}' - password: '${{ secrets.GITHUB_TOKEN }}' - registry: 'ghcr.io/${{ github.repository_owner }}' - - name: 'login docker hub' - env: - DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' - DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' - run: | - echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io - echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin - - name: 'login quay.io' - env: - QUAY_USER: '${{ secrets.QUAY_USER }}' - QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' - run: | - echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io - echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io - name: 'install dev deps' run: | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list @@ -49,47 +29,66 @@ jobs: sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install -y \ qemu-user-static buildah less git make podman clamav clamav-freshclam + + - name: 'install prereqs' + run: /home/linuxbrew/.linuxbrew/bin/brew install cosign grype trivy + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false ref: 'main' + - name: 'build debian dev image' run: buildah unshare make branch_or_ref=master release_tag=master build_debian - - name: 'install scan prereqs' - run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy - name: 'security scan image' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" make image_name=localhost/curl-dev-debian:master scan + + - name: 'login ghcr.io' + env: + REGISTRY_USER: '${{ github.actor }}' + REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + run: | + echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" + - name: 'push images to github registry' run: | buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master" - - name: 'install Cosign' - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: 'sign image with a key' env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev-debian:master + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master + - name: 'build fedora dev image' run: buildah unshare make branch_or_ref=master release_tag=master build_fedora - name: 'security scan image' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" make image_name=localhost/curl-dev-fedora:master scan + - name: 'push images to github registry' run: | buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master" + - name: 'sign image with a key' env: COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev-fedora:master + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml index e8439da..d27b60b 100644 --- a/.github/workflows/build_master_multi.yml +++ b/.github/workflows/build_master_multi.yml @@ -21,26 +21,6 @@ jobs: permissions: packages: write # To create/update container on ghcr.io steps: - - name: 'login ghcr.io' - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 - with: - username: '${{ github.actor }}' - password: '${{ secrets.GITHUB_TOKEN }}' - registry: 'ghcr.io/${{ github.repository_owner }}' - - name: 'login docker hub' - env: - DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' - DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' - run: | - echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io - echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin - - name: 'login quay.io' - env: - QUAY_USER: '${{ secrets.QUAY_USER }}' - QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' - run: | - echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io - echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io - name: 'install dev deps' run: | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list @@ -48,34 +28,47 @@ jobs: sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install -y \ qemu-user-static buildah less git make podman clamav clamav-freshclam + + - name: 'install prereqs' + run: /home/linuxbrew/.linuxbrew/bin/brew install cosign grype trivy + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false ref: 'main' + - name: 'build multi image' run: buildah unshare make branch_or_ref=master release_tag=master multibuild - name: 'test image' run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test - - name: 'install scan prereqs' - run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy - name: 'security scan image' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" make image_name=localhost/curl-multi:master scan + + - name: 'login ghcr.io' + env: + REGISTRY_USER: '${{ github.actor }}' + REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + run: | + echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" + - name: 'push multi images to github registry' run: | + buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master" buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master" - buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master" - - name: 'install Cosign' - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: 'sign image with a key' env: COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-multi:master echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-base-multi:master + - name: 'verify image with public key' run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:master