Declarative trigger custom image builds using IaC:
- Verify integrity of existing image by validating the digital signature with cosign
- Verify SBOM attestation and list packages
- Trigger new build using the APKO Overlay YAML in the ca-images-iac folder
- Adheres to security least privilege by using short-lived ephemeral tokens to:
- Authenticate to the Chainguard Registry using an assumed identity (using the ambient creds of each workflow invocation)
- Authenticate to GitHub (using octo-sts in place of a long-lived PAT)
- Edit the ca-images-iac yaml declarations to add packages adding-custom-annotations-and-environment-variables
- Commit to the main branch
- Merge
- Profit
