Build all terminal images #585

Workflow file for this run

.github/workflows/build-terminal-images.yaml at 0a6d19e

	name: Build all terminal images
	on:
	schedule:
	- cron: "0 0 * * *"
	workflow_dispatch:

	jobs:
	build-image:
	runs-on: ubuntu-latest

	if: github.repository == 'chainguard-dev/edu'

	permissions:
	id-token: write # Federate with GCP and sign images

	strategy:
	matrix:
	image:
	- apko
	- cosign
	- policy-controller-base
	- policy-controller-install
	- rekor
	- vexctl

	container:
	image: ghcr.io/wolfi-dev/sdk:latest@sha256:a96b9173cb5dd9d6050ecb11b6ec326f47a32d93537838845be5e558f9103148
	# TODO: Deprivilege
	options: \|
	--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined

	steps:
	- name: 'Github Actions Runner'
	uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
	with:
	egress-policy: audit

	- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0

	- name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: melange keygen
	shell: bash
	working-directory: terminal-images/${{ matrix.image }}
	run: \|
	melange keygen

	- name: melange build
	shell: bash
	working-directory: terminal-images/${{ matrix.image }}
	run: \|
	melange build melange.yaml --arch x86_64 --signing-key melange.rsa

	- name: Authenticate to Google Cloud
	id: auth
	uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
	with:
	service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
	workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
	token_format: 'access_token'

	- name: Setup G Cloud SDK
	uses: 'google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7' # v2.0.11

	- name: Configure GCR auth
	shell: bash
	run: gcloud auth configure-docker "${{ secrets.TERMINAL_REGISTRY_URL }}"

	- name: apko login
	shell: bash
	run: \|
	apko login \
	"${{ secrets.TERMINAL_REGISTRY_URL }}" \
	--password=${{ steps.auth.outputs.access_token }} \
	--username="oauth2accesstoken"

	- name: apko publish
	shell: bash
	# working-directory: terminal-images/${{ matrix.image }}
	run: \|
	apko publish \
	--arch x86_64 apko.yaml \
	--image-refs image-refs.txt \
	"${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \
	-k melange.rsa.pub \
	--sbom-path . \
	-C terminal-images/${{ matrix.image }}

	# - name: cosign login
	# shell: bash
	# run: \|
	# cosign login \
	# -p ${{ steps.auth.outputs.access_token }} \
	# -u oauth2accesstoken \
	# ${{ env.REGISTRY_URL }}

	# - name: cosign attest sbom
	# working-directory: terminal-images/${{ matrix.image }}
	# run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)"

	# - name: cosign sign image
	# working-directory: terminal-images/${{ matrix.image }}
	# run: cosign sign -y "$(cat image-refs.txt)

	- name: Post failure notice to Slack
	uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0
	if: ${{ failure() }}
	env:
	SLACK_ICON: http://github.com/chainguard-dev.png?size=48
	SLACK_USERNAME: guardian
	SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
	SLACK_CHANNEL: 'alerts-edu'
	SLACK_COLOR: '#8E1600'
	MSG_MINIMAL: 'true'
	SLACK_TITLE: 'Build Terminal Images failed - ${{ github.repository }}'
	SLACK_MESSAGE: \|
	For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build all terminal images #585

Workflow file

Build all terminal images #585

Jobs

Run details

Workflow file for this run