commit a818e8fd88de127be9e6d686098d0431bb81bcb9 Author: root Date: Wed Jul 1 09:16:27 2026 +0000 spike: build + key-based cosign against Forgejo registry diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml new file mode 100644 index 0000000..f11e5ef --- /dev/null +++ b/.forgejo/workflows/build.yml @@ -0,0 +1,46 @@ +# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign +# sign/verify against Forgejo's own registry. Proves the migration's real +# unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a +# throwaway Forgejo repo. Requires: +# - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net) +# - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY +name: spike-build +on: [push, workflow_dispatch] +permissions: {} +env: + REGISTRY: ${{ vars.FORGEJO_REGISTRY }} +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - id: push + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }} + - uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }} + severity: CRITICAL,HIGH + exit-code: '1' + ignore-unfixed: true + - uses: sigstore/cosign-installer@v3 + - name: cosign sign + verify (key-based) + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} + IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }} + run: | + set -euo pipefail + cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE" + printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub + cosign verify --key cosign.pub "$IMAGE" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1ef43db --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +cosign.key +cosign.pub diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..09154c1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,7 @@ +# Throwaway spike app (ADR-0064): serves 200 on /health:3000 so the platform's +# built-app healthcheck passes. Copy into a Forgejo repo next to +# .forgejo/workflows/build.yml. Not platform code — spike scaffolding. +FROM nginx:alpine +RUN printf 'server {\n listen 3000;\n location = /health { return 200 "ok\n"; }\n}\n' \ + > /etc/nginx/conf.d/default.conf +EXPOSE 3000