devguard-action/.github/workflows/sign.yml at main · l3montree-dev/devguard-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
on:
  workflow_call:
    inputs:
      api-url:
        type: string
        required: false
        default: "https://api.devguard.org"
      asset-name:
        description: 'Name of the asset'
        type: string
        required: true
      artifact-name:
        type: string
        required: false
        default: ''
        description: "The name of the artifact you are building. This is useful when a single pipeline builds more than a single artifact like a container with a shell inside and one without. If you build a single artifact - leave it empty."
      image-suffix:
        description: 'Suffix for the image name. You probably need this if you are building multiple images. For example building a <abc>/scanner image and a <abc>/web image.'
        type: string
        required: false
        default: ''
      should-deploy:
        # Input to determine if the signing job should run
        description: 'Should the signing job run'
        type: boolean
        required: false
        default: true

    secrets:
      devguard-token:
        description: 'DevGuard API token'
        required: true

jobs:
  sign:
    if: inputs.should-deploy
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        submodules: recursive
        fetch-depth: 0
        persist-credentials: true
    - name: Download image-tag artifact (can be created by build-image)
      uses: actions/download-artifact@v4
      with:
        name: image-tag${{ inputs.image-suffix }}
        path: .

    - name: Download image-digest artifact (can be created by build-image)
      uses: actions/download-artifact@v4
      with:
        name: image-digest${{ inputs.image-suffix }}
        path: .

    - name: Set Image to be signed
      run: echo "IMAGE_TAG_AND_DIGEST=$(cat image-tag.txt)@$(cat image-digest.txt)" >> $GITHUB_ENV

    - name: DevGuard Image-Signing
      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
      with:
        args: devguard-scanner sign -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} --token="${{ secrets.devguard-token }}" ${{ env.IMAGE_TAG_AND_DIGEST }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }}