-
Notifications
You must be signed in to change notification settings - Fork 1
96 lines (85 loc) · 3.3 KB
/
deploy.yml
File metadata and controls
96 lines (85 loc) · 3.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
on:
workflow_call:
inputs:
asset-name:
description: 'Name of the asset to be deployed'
type: string
required: true
api-url:
description: 'URL of the DevGuard API'
type: string
required: false
default: 'https://api.devguard.org'
should-deploy:
# Input to determine if the deploy job should run
description: 'Should the deploy job run'
type: boolean
required: false
default: true
image-already-in-registry:
# Input to determine if the image is already in the registry
description: 'If set to true, the image wont be pushed again'
type: boolean
required: false
default: false
image-suffix:
type: string
required: false
default: 'container'
description: "The name of the artifact you are building. This is useful when a single pipeline builds more than a single artifact like a container with a shell inside and one without. If you build a single artifact - leave it empty."
secrets:
devguard-token:
description: 'DevGuard API token'
required: true
jobs:
deploy:
runs-on: ubuntu-latest
if: inputs.should-deploy
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
persist-credentials: true
- name: Download oci-image artifact (can be created by build-image)
uses: actions/download-artifact@v4
with:
name: oci-image${{ inputs.image-suffix }}
path: .
if: inputs.image-already-in-registry == false
- name: Download image-tag artifact (can be created by build-image)
uses: actions/download-artifact@v4
with:
name: image-tag${{ inputs.image-suffix }}
path: .
- name: Download image-digest artifact (can be created by build-image)
uses: actions/download-artifact@v4
with:
name: image-digest${{ inputs.image-suffix }}
path: .
- name: Read image-digest.txt
id: read-digest
run: echo "DIGEST=$(cat image-digest.txt)" >> $GITHUB_ENV
- name: In-Toto Provenance run
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
with:
args: devguard-scanner intoto run --step=deploy --materials=image-tag.txt --products=image-tag.txt --products=image-digest.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --supplyChainOutputDigest="${{ env.DIGEST }}"
continue-on-error: true
- name: Setup crane
uses: imjasonh/setup-crane@v0.1
- name: Push oci image to GitHub image Registry
run: crane push image.tar $(cat image-tag.txt)
if: inputs.image-already-in-registry == false
- name: Push oci image to GitHub image Registry with latest
run: |
branch=${GITHUB_REF##*/}
if [ "${IMAGE_SUFFIX}" != "" ]; then
name="ghcr.io/${{ github.repository }}/${IMAGE_SUFFIX}:$branch-latest"
else
name="ghcr.io/${{ github.repository }}:$branch-latest"
fi
name=$(echo "$name" | tr '[:upper:]' '[:lower:]')
crane copy $(cat image-tag.txt) $name
env:
IMAGE_SUFFIX: ${{ inputs.image-suffix }}