Skip to content

Commit

Permalink
Added the corresponding workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
Vivek Yadav committed Apr 2, 2024
1 parent 4bf6ee4 commit 67f3de3
Show file tree
Hide file tree
Showing 11 changed files with 187 additions and 88 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -28,39 +28,39 @@ jobs:
id: apko
uses: distroless/actions/apko-build@main
with:
config: initializbuildpacks/${{ inputs.image }}/apko.yaml
tag: initializbuildpacks/${{ inputs.image }}:latest
config: images/SecurePacks/InitzBuilder/${{ inputs.image }}/apko.yaml
tag: initz/${{ inputs.image }}:latest

- name: Tag, and push docker image to Amazon ECR Public
run: |
docker load < output.tar
- name: Check if Docker image exists locally
run: |
if docker images initializbuildpacks/${{ inputs.image }}:latest-amd64 | grep -q initializbuildpacks/${{ inputs.image }}; then
echo "Docker image initializbuildpacks/${{ inputs.image }}:latest found."
if docker images initz/${{ inputs.image }}:latest-amd64 | grep -q initz/${{ inputs.image }}; then
echo "Docker image initz/${{ inputs.image }}:latest found."
else
echo "Docker image initializbuildpacks/${{ inputs.image }}:latest not found. Please build the image first."
echo "Docker image initz/${{ inputs.image }}:latest not found. Please build the image first."
exit 1
fi
- name: Tag and push Docker image to Docker Hub
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
REPOSITORY: ${{ inputs.image }}
run: |
docker tag initializbuildpacks/${{ inputs.image }}:latest-amd64 initializbuildpacks/${{ inputs.image }}:latest
docker push initializbuildpacks/${{ inputs.image }}:latest
docker tag initz/${{ inputs.image }}:latest-amd64 initz/${{ inputs.image }}:latest
docker push initz/${{ inputs.image }}:latest
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes initializbuildpacks/${{ inputs.image }}:latest
--yes initz/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
initializbuildpacks/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/release.yml@refs/heads/main \
initz/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/InitzBuilderapkorelease.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
- name: Attest SBOM
run: |
cosign attest \
--yes --predicate sbom-x86_64.spdx.json --type spdxjson initializbuildpacks/${{ inputs.image }}:latest
--yes --predicate sbom-x86_64.spdx.json --type spdxjson initz/${{ inputs.image }}:latest
54 changes: 54 additions & 0 deletions .github/workflows/InitzBuilderdockerfile.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
on:
workflow_dispatch:
inputs:
image:
description: 'Image to Release'
required: true
type: string
inputs:
tag:
description: 'Tag'
required: true
type: string

permissions:
id-token: write # This is required for GH OIDC connection
contents: read # This is required for actions/checkout

jobs:
image-release:
runs-on: ubuntu-latest

steps:
- name: Git checkout
uses: actions/checkout@v3

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Build image
run: |
docker build -t images/SecurePacks/InitzBuilder/Stack/${{ inputs.image }}:${{ inputs.tag }} -f images/SecurePacks/InitzBuilder/Stack/${{ inputs.image }}/Dockerfile .
docker tag images/SecurePacks/InitzBuilder/Stack/${{ inputs.image }}:${{ inputs.tag }} securepacks/${{ inputs.image }}:${{ inputs.tag }}
- name: Tag and push Docker image to Docker Hub
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
REPOSITORY: ${{ inputs.image }}
run: |
docker push securepacks/${{ inputs.image }}:${{ inputs.tag }}
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/InitzBuilderdockerfile.yaml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
66 changes: 66 additions & 0 deletions .github/workflows/PythoBuilderapkorelease.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
on:
workflow_dispatch:
inputs:
image:
description: 'Image to Release'
required: true
type: string

permissions:
id-token: write # This is required for GH OIDC connection
contents: read # This is required for actions/checkout

jobs:
image-release:
runs-on: ubuntu-latest

steps:
- name: Git checkout
uses: actions/checkout@v3

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Create & Push Minimal Image using apko
id: apko
uses: distroless/actions/apko-build@main
with:
config: images/SecurePacks/PythonBuilder/${{ inputs.image }}/apko.yaml
tag: Python/${{ inputs.image }}:latest

- name: Tag, and push docker image to Amazon ECR Public
run: |
docker load < output.tar
- name: Check if Docker image exists locally
run: |
if docker images Python/${{ inputs.image }}:latest-amd64 | grep -q Python/${{ inputs.image }}; then
echo "Docker image Python/${{ inputs.image }}:latest found."
else
echo "Docker image Python/${{ inputs.image }}:latest not found. Please build the image first."
exit 1
fi
- name: Tag and push Docker image to Docker Hub
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
REPOSITORY: ${{ inputs.image }}
run: |
docker tag Python/${{ inputs.image }}:latest-amd64 Python/${{ inputs.image }}:latest
docker push Python/${{ inputs.image }}:latest
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes Python/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
initz/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/PythonBuilderapkorelease.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
- name: Attest SBOM
run: |
cosign attest \
--yes --predicate sbom-x86_64.spdx.json --type spdxjson Python/${{ inputs.image }}:latest
54 changes: 54 additions & 0 deletions .github/workflows/PythonBuilderdockerfile.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
on:
workflow_dispatch:
inputs:
image:
description: 'Image to Release'
required: true
type: string
inputs:
tag:
description: 'Tag'
required: true
type: string

permissions:
id-token: write # This is required for GH OIDC connection
contents: read # This is required for actions/checkout

jobs:
image-release:
runs-on: ubuntu-latest

steps:
- name: Git checkout
uses: actions/checkout@v3

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Build image
run: |
docker build -t images/SecurePacks/PythonBuilder/Stack/${{ inputs.image }}:${{ inputs.tag }} -f images/SecurePacks/PythonBuilder/Stack/${{ inputs.image }}/Dockerfile .
docker tag images/SecurePacks/PythonBuilder/Stack/${{ inputs.image }}:${{ inputs.tag }} pythonsecurepacks/${{ inputs.image }}:${{ inputs.tag }}
- name: Tag and push Docker image to Docker Hub
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
REPOSITORY: ${{ inputs.image }}
run: |
docker push pythonsecurepacks/${{ inputs.image }}:${{ inputs.tag }}
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/PythonBuilderdockerfile.yaml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
75 changes: 0 additions & 75 deletions .github/workflows/dockerimagerelease.yaml

This file was deleted.

File renamed without changes.
File renamed without changes.
2 changes: 1 addition & 1 deletion images/SecurePacks/InitzBuilder/Stack/Build/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Define the base image
FROM intz:build
FROM initz/Build:latest

# Switch to the root user to install packages
USER root
Expand Down
2 changes: 1 addition & 1 deletion images/SecurePacks/InitzBuilder/Stack/Run/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Define the base image
FROM intz:run
FROM initz/Run:latest

# Switch to the root user to install packages
USER root
Expand Down
File renamed without changes.
File renamed without changes.

0 comments on commit 67f3de3

Please sign in to comment.