spike: build + key-based cosign against Forgejo registry
Some checks failed
spike-build / build (push) Failing after 10s
Some checks failed
spike-build / build (push) Failing after 10s
This commit is contained in:
commit
a818e8fd88
3 changed files with 55 additions and 0 deletions
46
.forgejo/workflows/build.yml
Normal file
46
.forgejo/workflows/build.yml
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign
|
||||
# sign/verify against Forgejo's own registry. Proves the migration's real
|
||||
# unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a
|
||||
# throwaway Forgejo repo. Requires:
|
||||
# - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net)
|
||||
# - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY
|
||||
name: spike-build
|
||||
on: [push, workflow_dispatch]
|
||||
permissions: {}
|
||||
env:
|
||||
REGISTRY: ${{ vars.FORGEJO_REGISTRY }}
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: docker/setup-buildx-action@v3
|
||||
- uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ${{ env.REGISTRY }}
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- id: push
|
||||
uses: docker/build-push-action@v6
|
||||
with:
|
||||
context: .
|
||||
push: true
|
||||
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
|
||||
- uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||||
severity: CRITICAL,HIGH
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
- uses: sigstore/cosign-installer@v3
|
||||
- name: cosign sign + verify (key-based)
|
||||
env:
|
||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
||||
IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE"
|
||||
printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub
|
||||
cosign verify --key cosign.pub "$IMAGE"
|
||||
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
cosign.key
|
||||
cosign.pub
|
||||
7
Dockerfile
Normal file
7
Dockerfile
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
# Throwaway spike app (ADR-0064): serves 200 on /health:3000 so the platform's
|
||||
# built-app healthcheck passes. Copy into a Forgejo repo next to
|
||||
# .forgejo/workflows/build.yml. Not platform code — spike scaffolding.
|
||||
FROM nginx:alpine
|
||||
RUN printf 'server {\n listen 3000;\n location = /health { return 200 "ok\n"; }\n}\n' \
|
||||
> /etc/nginx/conf.d/default.conf
|
||||
EXPOSE 3000
|
||||
Loading…
Add table
Add a link
Reference in a new issue