spike: build + key-based cosign against Forgejo registry
Some checks failed
spike-build / build (push) Failing after 10s
Some checks failed
spike-build / build (push) Failing after 10s
This commit is contained in:
commit
a818e8fd88
3 changed files with 55 additions and 0 deletions
46
.forgejo/workflows/build.yml
Normal file
46
.forgejo/workflows/build.yml
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign
|
||||||
|
# sign/verify against Forgejo's own registry. Proves the migration's real
|
||||||
|
# unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a
|
||||||
|
# throwaway Forgejo repo. Requires:
|
||||||
|
# - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net)
|
||||||
|
# - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY
|
||||||
|
name: spike-build
|
||||||
|
on: [push, workflow_dispatch]
|
||||||
|
permissions: {}
|
||||||
|
env:
|
||||||
|
REGISTRY: ${{ vars.FORGEJO_REGISTRY }}
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: docker/setup-buildx-action@v3
|
||||||
|
- uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: ${{ env.REGISTRY }}
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- id: push
|
||||||
|
uses: docker/build-push-action@v6
|
||||||
|
with:
|
||||||
|
context: .
|
||||||
|
push: true
|
||||||
|
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
|
||||||
|
- uses: aquasecurity/trivy-action@0.28.0
|
||||||
|
with:
|
||||||
|
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||||||
|
severity: CRITICAL,HIGH
|
||||||
|
exit-code: '1'
|
||||||
|
ignore-unfixed: true
|
||||||
|
- uses: sigstore/cosign-installer@v3
|
||||||
|
- name: cosign sign + verify (key-based)
|
||||||
|
env:
|
||||||
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||||
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||||
|
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
||||||
|
IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE"
|
||||||
|
printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub
|
||||||
|
cosign verify --key cosign.pub "$IMAGE"
|
||||||
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
cosign.key
|
||||||
|
cosign.pub
|
||||||
7
Dockerfile
Normal file
7
Dockerfile
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
# Throwaway spike app (ADR-0064): serves 200 on /health:3000 so the platform's
|
||||||
|
# built-app healthcheck passes. Copy into a Forgejo repo next to
|
||||||
|
# .forgejo/workflows/build.yml. Not platform code — spike scaffolding.
|
||||||
|
FROM nginx:alpine
|
||||||
|
RUN printf 'server {\n listen 3000;\n location = /health { return 200 "ok\n"; }\n}\n' \
|
||||||
|
> /etc/nginx/conf.d/default.conf
|
||||||
|
EXPOSE 3000
|
||||||
Loading…
Add table
Add a link
Reference in a new issue