spike/.forgejo/workflows/build.yml

49 lines
2.1 KiB
YAML
Raw Permalink Normal View History

# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign
# sign/verify against Forgejo's own registry. Proves the migration's real
# unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a
# throwaway Forgejo repo. Requires:
# - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net)
# - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY,
# REGISTRY_TOKEN (a Forgejo PAT with write:package — the
# automatic Actions token lacks package-write scope)
name: spike-build
on: [push, workflow_dispatch]
2026-07-01 09:50:56 +00:00
permissions:
contents: read
packages: write # required to push the image to Forgejo's registry
env:
REGISTRY: ${{ vars.FORGEJO_REGISTRY }}
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
# Forgejo's automatic token can't push packages — use a PAT (write:package).
password: ${{ secrets.REGISTRY_TOKEN }}
- id: push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
2026-07-01 10:25:09 +00:00
# Trivy removed from the 3a proof — it's parity, not the risk, and was
# erroring on the registry pull and blocking cosign. Add it back (gating)
# in the real workflow once the cosign path is proven.
- uses: sigstore/cosign-installer@v3
- name: cosign sign + verify (key-based)
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
run: |
set -euo pipefail
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE"
printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub
cosign verify --key cosign.pub "$IMAGE"