47 lines
1.8 KiB
YAML
47 lines
1.8 KiB
YAML
|
|
# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign
|
||
|
|
# sign/verify against Forgejo's own registry. Proves the migration's real
|
||
|
|
# unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a
|
||
|
|
# throwaway Forgejo repo. Requires:
|
||
|
|
# - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net)
|
||
|
|
# - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY
|
||
|
|
name: spike-build
|
||
|
|
on: [push, workflow_dispatch]
|
||
|
|
permissions: {}
|
||
|
|
env:
|
||
|
|
REGISTRY: ${{ vars.FORGEJO_REGISTRY }}
|
||
|
|
jobs:
|
||
|
|
build:
|
||
|
|
runs-on: ubuntu-22.04
|
||
|
|
steps:
|
||
|
|
- uses: actions/checkout@v4
|
||
|
|
- uses: docker/setup-buildx-action@v3
|
||
|
|
- uses: docker/login-action@v3
|
||
|
|
with:
|
||
|
|
registry: ${{ env.REGISTRY }}
|
||
|
|
username: ${{ github.actor }}
|
||
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||
|
|
- id: push
|
||
|
|
uses: docker/build-push-action@v6
|
||
|
|
with:
|
||
|
|
context: .
|
||
|
|
push: true
|
||
|
|
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
|
||
|
|
- uses: aquasecurity/trivy-action@0.28.0
|
||
|
|
with:
|
||
|
|
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||
|
|
severity: CRITICAL,HIGH
|
||
|
|
exit-code: '1'
|
||
|
|
ignore-unfixed: true
|
||
|
|
- uses: sigstore/cosign-installer@v3
|
||
|
|
- name: cosign sign + verify (key-based)
|
||
|
|
env:
|
||
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||
|
|
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
||
|
|
IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||
|
|
run: |
|
||
|
|
set -euo pipefail
|
||
|
|
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE"
|
||
|
|
printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub
|
||
|
|
cosign verify --key cosign.pub "$IMAGE"
|