Skip to content

Commit 0667ebe

Browse files
crazy-maxcrazy-max
committed
verify reusable workflow
Signed-off-by: CrazyMax <[email protected]>
1 parent 6a09854 commit 0667ebe

File tree

5 files changed

+245
-175
lines changed

5 files changed

+245
-175
lines changed

.github/workflows/.test.yml

Lines changed: 149 additions & 131 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,19 @@ jobs:
3939
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
4040
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
4141
42+
build-aws-single-verify:
43+
uses: ./.github/workflows/verify.yml
44+
if: ${{ github.event_name != 'pull_request' }}
45+
needs:
46+
- build-aws-single
47+
with:
48+
builder-outputs: ${{ toJSON(needs.build-aws-single.outputs) }}
49+
secrets:
50+
registry-auths: |
51+
- registry: public.ecr.aws
52+
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
53+
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
54+
4255
build-aws:
4356
uses: ./.github/workflows/build.yml
4457
permissions:
@@ -63,37 +76,17 @@ jobs:
6376
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
6477
6578
build-aws-verify:
66-
runs-on: ubuntu-latest
79+
uses: ./.github/workflows/verify.yml
6780
if: ${{ github.event_name != 'pull_request' }}
6881
needs:
6982
- build-aws
70-
steps:
71-
-
72-
name: Install Cosign
73-
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
74-
with:
75-
cosign-release: ${{ needs.build-aws.outputs.cosign-version }}
76-
-
77-
name: Login to registry
78-
uses: docker/login-action@v3
79-
with:
80-
registry: public.ecr.aws
83+
with:
84+
builder-outputs: ${{ toJSON(needs.build-aws.outputs) }}
85+
secrets:
86+
registry-auths: |
87+
- registry: public.ecr.aws
8188
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
8289
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
83-
-
84-
name: Verify signatures
85-
uses: actions/github-script@v8
86-
env:
87-
INPUT_COSIGN-VERSION: ${{ needs.build-aws.outputs.cosign-version }}
88-
INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.build-aws.outputs.cosign-verify-commands }}
89-
with:
90-
script: |
91-
const cosignVersion = core.getInput('cosign-version');
92-
core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
93-
const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
94-
for (const cmd of cosignVerifyCommands) {
95-
await exec.exec(cmd);
96-
}
9790
9891
build-ghcr:
9992
uses: ./.github/workflows/build.yml
@@ -115,6 +108,19 @@ jobs:
115108
username: ${{ github.actor }}
116109
password: ${{ secrets.GITHUB_TOKEN }}
117110
111+
build-ghcr-verify:
112+
uses: ./.github/workflows/verify.yml
113+
if: ${{ github.event_name != 'pull_request' }}
114+
needs:
115+
- build-ghcr
116+
with:
117+
builder-outputs: ${{ toJSON(needs.build-ghcr.outputs) }}
118+
secrets:
119+
registry-auths: |
120+
- registry: ghcr.io
121+
username: ${{ github.actor }}
122+
password: ${{ secrets.GITHUB_TOKEN }}
123+
118124
build-dockerhub-stage:
119125
uses: ./.github/workflows/build.yml
120126
permissions:
@@ -135,6 +141,19 @@ jobs:
135141
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
136142
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
137143
144+
build-dockerhub-stage-verify:
145+
uses: ./.github/workflows/verify.yml
146+
if: ${{ github.event_name != 'pull_request' }}
147+
needs:
148+
- build-dockerhub-stage
149+
with:
150+
builder-outputs: ${{ toJSON(needs.build-dockerhub-stage.outputs) }}
151+
secrets:
152+
registry-auths: |
153+
- registry: registry-1-stage.docker.io
154+
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
155+
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
156+
138157
build-dockerhub-stage-oidc:
139158
uses: ./.github/workflows/build.yml
140159
permissions:
@@ -154,6 +173,21 @@ jobs:
154173
- registry: registry-1-stage.docker.io
155174
username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c
156175
176+
build-dockerhub-stage-oidc-verify:
177+
uses: ./.github/workflows/verify.yml
178+
if: ${{ github.event_name != 'pull_request' }}
179+
permissions:
180+
contents: read
181+
id-token: write
182+
needs:
183+
- build-dockerhub-stage-oidc
184+
with:
185+
builder-outputs: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }}
186+
secrets:
187+
registry-auths: |
188+
- registry: registry-1-stage.docker.io
189+
username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c
190+
157191
build-ghcr-and-aws:
158192
uses: ./.github/workflows/build.yml
159193
permissions:
@@ -179,6 +213,22 @@ jobs:
179213
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
180214
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
181215
216+
build-ghcr-and-aws-verify:
217+
uses: ./.github/workflows/verify.yml
218+
if: ${{ github.event_name != 'pull_request' }}
219+
needs:
220+
- build-ghcr-and-aws
221+
with:
222+
builder-outputs: ${{ toJSON(needs.build-ghcr-and-aws.outputs) }}
223+
secrets:
224+
registry-auths: |
225+
- registry: ghcr.io
226+
username: ${{ github.actor }}
227+
password: ${{ secrets.GITHUB_TOKEN }}
228+
- registry: public.ecr.aws
229+
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
230+
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
231+
182232
build-local:
183233
uses: ./.github/workflows/build.yml
184234
permissions:
@@ -193,35 +243,12 @@ jobs:
193243
build-platforms: linux/amd64,linux/arm64
194244

195245
build-local-verify:
196-
runs-on: ubuntu-latest
246+
uses: ./.github/workflows/verify.yml
197247
if: ${{ github.event_name != 'pull_request' }}
198248
needs:
199249
- build-local
200-
steps:
201-
-
202-
name: Install Cosign
203-
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
204-
with:
205-
cosign-release: ${{ needs.build-local.outputs.cosign-version }}
206-
-
207-
name: Download artifact
208-
uses: actions/download-artifact@v5
209-
with:
210-
name: ${{ needs.build-local.outputs.artifact-name }}
211-
-
212-
name: Verify signatures
213-
uses: actions/github-script@v8
214-
env:
215-
INPUT_COSIGN-VERSION: ${{ needs.build-local.outputs.cosign-version }}
216-
INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.build-local.outputs.cosign-verify-commands }}
217-
with:
218-
script: |
219-
const cosignVersion = core.getInput('cosign-version');
220-
core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
221-
const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
222-
for (const cmd of cosignVerifyCommands) {
223-
await exec.exec(cmd);
224-
}
250+
with:
251+
builder-outputs: ${{ toJSON(needs.build-local.outputs) }}
225252

226253
build-local-single:
227254
uses: ./.github/workflows/build.yml
@@ -235,6 +262,50 @@ jobs:
235262
build-file: test/hello.Dockerfile
236263
build-sbom: true
237264

265+
build-local-single-verify:
266+
uses: ./.github/workflows/verify.yml
267+
if: ${{ github.event_name != 'pull_request' }}
268+
needs:
269+
- build-local-single
270+
with:
271+
builder-outputs: ${{ toJSON(needs.build-local-single.outputs) }}
272+
273+
bake-aws-single:
274+
uses: ./.github/workflows/bake.yml
275+
permissions:
276+
contents: read
277+
packages: write
278+
id-token: write
279+
with:
280+
context: test
281+
target: hello
282+
output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
283+
cache: true
284+
cache-scope: bake-aws
285+
meta-images: |
286+
public.ecr.aws/q3b5f1u4/test-docker-action
287+
meta-tags: |
288+
type=raw,value=bake-ghbuilder-single-${{ github.run_id }}
289+
bake-sbom: true
290+
secrets:
291+
registry-auths: |
292+
- registry: public.ecr.aws
293+
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
294+
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
295+
296+
bake-aws-single-verify:
297+
uses: ./.github/workflows/verify.yml
298+
if: ${{ github.event_name != 'pull_request' }}
299+
needs:
300+
- bake-aws-single
301+
with:
302+
builder-outputs: ${{ toJSON(needs.bake-aws-single.outputs) }}
303+
secrets:
304+
registry-auths: |
305+
- registry: public.ecr.aws
306+
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
307+
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
308+
238309
bake-aws:
239310
uses: ./.github/workflows/bake.yml
240311
permissions:
@@ -259,37 +330,17 @@ jobs:
259330
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
260331
261332
bake-aws-verify:
262-
runs-on: ubuntu-latest
333+
uses: ./.github/workflows/verify.yml
263334
if: ${{ github.event_name != 'pull_request' }}
264335
needs:
265336
- bake-aws
266-
steps:
267-
-
268-
name: Install Cosign
269-
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
270-
with:
271-
cosign-release: ${{ needs.bake-aws.outputs.cosign-version }}
272-
-
273-
name: Login to registry
274-
uses: docker/login-action@v3
275-
with:
276-
registry: public.ecr.aws
337+
with:
338+
builder-outputs: ${{ toJSON(needs.bake-aws.outputs) }}
339+
secrets:
340+
registry-auths: |
341+
- registry: public.ecr.aws
277342
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
278343
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
279-
-
280-
name: Verify signatures
281-
uses: actions/github-script@v8
282-
env:
283-
INPUT_COSIGN-VERSION: ${{ needs.bake-aws.outputs.cosign-version }}
284-
INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-aws.outputs.cosign-verify-commands }}
285-
with:
286-
script: |
287-
const cosignVersion = core.getInput('cosign-version');
288-
core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
289-
const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
290-
for (const cmd of cosignVerifyCommands) {
291-
await exec.exec(cmd);
292-
}
293344
294345
bake-ghcr-and-aws:
295346
uses: ./.github/workflows/bake.yml
@@ -319,37 +370,20 @@ jobs:
319370
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
320371
321372
bake-ghcr-and-aws-verify:
322-
runs-on: ubuntu-latest
373+
uses: ./.github/workflows/verify.yml
323374
if: ${{ github.event_name != 'pull_request' }}
324375
needs:
325376
- bake-ghcr-and-aws
326-
steps:
327-
-
328-
name: Install Cosign
329-
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
330-
with:
331-
cosign-release: ${{ needs.bake-ghcr-and-aws.outputs.cosign-version }}
332-
-
333-
name: Login to registry
334-
uses: docker/login-action@v3
335-
with:
336-
registry: public.ecr.aws
377+
with:
378+
builder-outputs: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }}
379+
secrets:
380+
registry-auths: |
381+
- registry: ghcr.io
382+
username: ${{ github.actor }}
383+
password: ${{ secrets.GITHUB_TOKEN }}
384+
- registry: public.ecr.aws
337385
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
338386
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
339-
-
340-
name: Verify signatures
341-
uses: actions/github-script@v8
342-
env:
343-
INPUT_COSIGN-VERSION: ${{ needs.bake-ghcr-and-aws.outputs.cosign-version }}
344-
INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-ghcr-and-aws.outputs.cosign-verify-commands }}
345-
with:
346-
script: |
347-
const cosignVersion = core.getInput('cosign-version');
348-
core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
349-
const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
350-
for (const cmd of cosignVerifyCommands) {
351-
await exec.exec(cmd);
352-
}
353387
354388
bake-local:
355389
uses: ./.github/workflows/bake.yml
@@ -366,36 +400,12 @@ jobs:
366400
bake-sbom: true
367401

368402
bake-local-verify:
369-
runs-on: ubuntu-latest
403+
uses: ./.github/workflows/verify.yml
370404
if: ${{ github.event_name != 'pull_request' }}
371405
needs:
372406
- bake-local
373-
steps:
374-
-
375-
name: Install Cosign
376-
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
377-
with:
378-
cosign-release: ${{ needs.bake-local.outputs.cosign-version }}
379-
-
380-
name: Download artifacts
381-
uses: actions/download-artifact@v5
382-
with:
383-
pattern: ${{ needs.bake-local.outputs.artifact-name }}*
384-
merge-multiple: true
385-
-
386-
name: Verify signatures
387-
uses: actions/github-script@v8
388-
env:
389-
INPUT_COSIGN-VERSION: ${{ needs.bake-local.outputs.cosign-version }}
390-
INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-local.outputs.cosign-verify-commands }}
391-
with:
392-
script: |
393-
const cosignVersion = core.getInput('cosign-version');
394-
core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
395-
const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
396-
for (const cmd of cosignVerifyCommands) {
397-
await exec.exec(cmd);
398-
}
407+
with:
408+
builder-outputs: ${{ toJSON(needs.bake-local.outputs) }}
399409

400410
bake-local-single:
401411
uses: ./.github/workflows/bake.yml
@@ -410,3 +420,11 @@ jobs:
410420
cache: true
411421
artifact-name: bake-output-single
412422
bake-sbom: true
423+
424+
bake-local-single-verify:
425+
uses: ./.github/workflows/verify.yml
426+
if: ${{ github.event_name != 'pull_request' }}
427+
needs:
428+
- bake-local-single
429+
with:
430+
builder-outputs: ${{ toJSON(needs.bake-local-single.outputs) }}

.github/workflows/bake.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,9 @@ on:
129129
artifact-name:
130130
description: Name of the uploaded artifact (for local output)
131131
value: ${{ jobs.finalize.outputs.artifact-name }}
132+
output-type:
133+
description: Build output type
134+
value: ${{ jobs.finalize.outputs.output-type }}
132135

133136
env:
134137
DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/[email protected]"
@@ -635,6 +638,7 @@ jobs:
635638
cosign-version: ${{ env.COSIGN_VERSION }}
636639
cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}
637640
artifact-name: ${{ inputs.artifact-name }}
641+
output-type: ${{ inputs.output }}
638642
needs:
639643
- build
640644
steps:

0 commit comments

Comments
 (0)