Skip to content
calculator-svc

Update sigstore/cosign-installer action to v3.5.0 #130

Sign in to view logs

Update sigstore/cosign-installer action to v3.5.0

Update sigstore/cosign-installer action to v3.5.0 #130

Workflow file for this run

.github/workflows/calculator-svc.yml at 1f3d4e2
name: calculator-svc
on:
push:
workflow_dispatch:
permissions: {}
env:
IMAGE_REF: "ghcr.io/${{ github.repository }}/calculator-svc"
jobs:
build-calculator-image:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
outputs:
digest: ${{ steps.build-container-image.outputs.Digest }}
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker metadata
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
${{ env.IMAGE_REF }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=sha,prefix=
type=sha,format=long,prefix=
type=semver,pattern={{version}}
type=semver,pattern=v{{version}}
type=ref,event=branch
- name: Log in to ghcr.io
id: docker-login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push container image
id: build-container-image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
file: cmd/calculator-svc/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
sign-calculator-image:
runs-on: ubuntu-22.04
needs:
- build-calculator-image
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Cosign CLI
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Log in to ghcr.io
id: docker-login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign calculator-image
run: |
cosign sign -y \
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }}
cosign verify \
--certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator-svc.yml.* \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }}
sbom-image:
runs-on: ubuntu-22.04
needs:
- build-calculator-image
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Log in to ghcr.io
id: docker-login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install syft & grype
uses: ./.github/actions/install_syft_grype
with:
syftVersion: "0.98.0"
grypeVersion: "0.73.3"
- name: Install Cosign CLI
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Generate and sign SBOM
run: |
syft attest -o cyclonedx-json \
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} > calculator.att.json
- name: Check for known vulnerabilities
run: |
grype ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} \
--fail-on critical --only-fixed