spike/.forgejo/workflows/build.yml
root 656e93af9e
Some checks failed
spike-build / build (push) Failing after 23s
fix: trivy-action@master (0.28.0 tag doesn't resolve)
2026-07-01 09:25:47 +00:00

46 lines
1.8 KiB
YAML

# Forgejo Actions SPIKE stage 3a — build + push + Trivy + KEY-BASED cosign
# sign/verify against Forgejo's own registry. Proves the migration's real
# unknowns with no host-deploy setup. Copy to .forgejo/workflows/build.yml in a
# throwaway Forgejo repo. Requires:
# - repo Variable: FORGEJO_REGISTRY (e.g. forge.currentbits.net)
# - repo Secrets: COSIGN_PRIVATE_KEY, COSIGN_PASSWORD, COSIGN_PUBLIC_KEY
name: spike-build
on: [push, workflow_dispatch]
permissions: {}
env:
REGISTRY: ${{ vars.FORGEJO_REGISTRY }}
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- id: push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
- uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
severity: CRITICAL,HIGH
exit-code: '1'
ignore-unfixed: true
- uses: sigstore/cosign-installer@v3
- name: cosign sign + verify (key-based)
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
IMAGE: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
run: |
set -euo pipefail
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "$IMAGE"
printf '%s\n' "$COSIGN_PUBLIC_KEY" > cosign.pub
cosign verify --key cosign.pub "$IMAGE"