# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign # sign/verify against Forgejo's own registry. Proves the migration's real # unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a # throwaway Forgejo repo. Requires: # - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net) # - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY, # REGISTRY_TOKEN (a Forgejo PAT with write:package — the # automatic Actions token lacks package-write scope) name: spike-build on: [push, workflow_dispatch] permissions: contents: read packages: write # required to push the image to Forgejo's registry env: REGISTRY: ${{ vars.FORGEJO_REGISTRY }} jobs: build: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: docker/setup-buildx-action@v3 - uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} # Forgejo's automatic token can't push packages — use a PAT (write:package). password: ${{ secrets.REGISTRY_TOKEN }} - id: push uses: docker/build-push-action@v6 with: context: . push: true tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }} - uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }} severity: CRITICAL,HIGH exit-code: '1' ignore-unfixed: true - uses: sigstore/cosign-installer@v3 - name: cosign sign + verify (key-based) env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }} run: | set -euo pipefail cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE" printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub cosign verify --key cosign.pub "$IMAGE"