From e446018d0010c58ce502a14eac183e4bcc98e70a Mon Sep 17 00:00:00 2001
From: Francesco Canovai <francesco.canovai@enterprisedb.com>
Date: Wed, 22 Jan 2025 10:13:55 +0100
Subject: [PATCH 1/3] ci: copy and sign prod images
Use skopeo to copy testing images to the production registry when they
pass the security tests, instead of rebuilding them. After that, we sign
the production images too.
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
---
.github/workflows/bake.yaml | 74 ++++++++++++++++++++-----------------
1 file changed, 41 insertions(+), 33 deletions(-)
diff --git a/.github/workflows/bake.yaml b/.github/workflows/bake.yaml
index 51524f98..de00a49e 100644
--- a/.github/workflows/bake.yaml
+++ b/.github/workflows/bake.yaml
@@ -121,24 +121,23 @@ jobs:
with:
sarif_file: snyk.sarif
- # Build the image for production.
- #
- # TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry
- # if we get here and we are building for production.
- prodbuild:
+ # Use the metadata generated in the `testbuild` step to find all the images
+ # that have been built. We copy them one by one to the procuction registry
+ # using skopeo. Then we sign the production images too.
+ copytoproduction:
+ name: Copy images to production
if: github.event.inputs.environment == 'production' || github.event_name == 'schedule'
- name: Build for production
runs-on: ubuntu-latest
needs:
+ - testbuild
- security
permissions:
contents: read
packages: write
security-events: write
+ # Required by the cosign step
+ id-token: write
steps:
- - name: Checkout Code
- uses: actions/checkout@v4
-
- name: Log in to the GitHub Container registry
uses: docker/login-action@v3
with:
@@ -146,32 +145,41 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- - name: Set up QEMU
- uses: docker/setup-qemu-action@v3
- with:
- platforms: 'arm64'
-
- - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
-
- - name: Build and push
- uses: docker/bake-action@v6
- id: build
- env:
- environment: production
- registry: ghcr.io/${{ github.repository_owner }}
- revision: ${{ github.sha }}
- with:
- push: true
-
+ - name: Copy images
+ run: |
+ images=$(echo '${{needs.testbuild.outputs.metadata}}' |
+ jq -r '
+ .[] as $items |
+ (
+ $items."image.name" |
+ split(",")[] +
+ "@" +
+ $items."containerimage.digest"
+ )
+ '
+ )
+ for image in $images
+ do
+ testimageshaonly="${image%:*@*}@${image#*@}"
+ testimagenosha="${image%@*}"
+ prodimage="${testimagenosha/-testing/}"
+ echo "Copying ${testimageshaonly} to ${prodimage}"
+ docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
+ --dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
+ docker://${testimageshaonly} docker://${prodimage}
+ done
- name: Install cosign
uses: sigstore/cosign-installer@v3
- # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
- # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
- # how to use cosign.
- name: Sign images
run: |
- images=$(echo '${{ steps.build.outputs.metadata }}' |
- jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
+ images=$(echo '${{needs.testbuild.outputs.metadata}}' |
+ jq -r '.[] |
+ (
+ ."image.name" |
+ sub(",.*";"") |
+ sub("-testing:[^@]+";"")
+ ) + "@" + ."containerimage.digest"
+ '
)
- cosign sign --yes ${images}
+ echo "Signing ${images}"
+ cosign sign --yes ${images}
\ No newline at end of file
From cd2162d545d5fd064c5fa293c9ba0431f46a0345 Mon Sep 17 00:00:00 2001
From: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Date: Thu, 23 Jan 2025 14:58:18 +0100
Subject: [PATCH 2/3] add condition, push only from main
Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
---
.github/workflows/bake.yaml | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/bake.yaml b/.github/workflows/bake.yaml
index de00a49e..ffe71f48 100644
--- a/.github/workflows/bake.yaml
+++ b/.github/workflows/bake.yaml
@@ -122,11 +122,13 @@ jobs:
sarif_file: snyk.sarif
# Use the metadata generated in the `testbuild` step to find all the images
- # that have been built. We copy them one by one to the procuction registry
+ # that have been built. We copy them one by one to the production registry
# using skopeo. Then we sign the production images too.
copytoproduction:
name: Copy images to production
- if: github.event.inputs.environment == 'production' || github.event_name == 'schedule'
+ if: |
+ github.ref == 'refs/heads/main' &&
+ ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
runs-on: ubuntu-latest
needs:
- testbuild
@@ -182,4 +184,4 @@ jobs:
'
)
echo "Signing ${images}"
- cosign sign --yes ${images}
\ No newline at end of file
+ cosign sign --yes ${images}
From 0b08316e64fe4f845491c42d95b23cb7ba7f2ef6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niccol=C3=B2=20Fei?= <niccolo.fei@enterprisedb.com>
Date: Mon, 27 Jan 2025 14:36:14 +0100
Subject: [PATCH 3/3] chore: lint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
---
.github/workflows/bake.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/bake.yaml b/.github/workflows/bake.yaml
index ffe71f48..9b8d4f53 100644
--- a/.github/workflows/bake.yaml
+++ b/.github/workflows/bake.yaml
@@ -149,7 +149,7 @@ jobs:
- name: Copy images
run: |
- images=$(echo '${{needs.testbuild.outputs.metadata}}' |
+ images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
jq -r '
.[] as $items |
(
@@ -170,11 +170,13 @@ jobs:
--dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
docker://${testimageshaonly} docker://${prodimage}
done
+
- name: Install cosign
uses: sigstore/cosign-installer@v3
+
- name: Sign images
run: |
- images=$(echo '${{needs.testbuild.outputs.metadata}}' |
+ images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
jq -r '.[] |
(
."image.name" |