Skip to content
Commit Stage

Update app #77

Sign in to view logs

Update app

Update app #77

Workflow file for this run

.github/workflows/commit-stage.yml at 080b509
name: Commit Stage
on: push
env:
COSIGN_EXPERIMENTAL: 1
REGISTRY: ghcr.io
IMAGE_NAME: thomasvitale/band-service
VERSION: ${{ github.sha }}
jobs:
build:
name: Build
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Check out source code
uses: actions/checkout@v3
- name: Set up Java
uses: actions/setup-java@v3
with:
java-version: 17
distribution: temurin
cache: gradle
- name: Source code vulnerability scanning
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results-source-code.sarif'
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
with:
sarif_file: 'trivy-results-source-code.sarif'
category: source-code
- name: Compile and test
run: ./gradlew clean build
- name: Package as OCI image
run: ./gradlew bootBuildImage --imageName ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
- name: OCI image vulnerability scanning
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
format: 'sarif'
output: 'trivy-results-oci-image.sarif'
category: oci-image
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
with:
sarif_file: 'trivy-results-oci-image.sarif'
- name: Authenticate with the container registry
uses: docker/login-action@v2
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ${{ env.REGISTRY }}
- name: Publish OCI image
run: |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
sign:
name: Sign
runs-on: ubuntu-22.04
needs: [build]
permissions:
contents: read
packages: write
id-token: write
outputs:
image-digest: ${{ steps.image-info.outputs.digest }}
image-name: ${{ steps.image-info.outputs.name }}
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v2.8.1
- uses: redhat-actions/podman-login@v1.4
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ${{ env.REGISTRY }}
- name: Fetch OCI image
run: podman pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
- name: Get OCI image digest
id: image-info
run: |
image_digest=$(podman inspect --format='{{.Digest}}' ${REGISTRY}/${IMAGE_NAME}:${VERSION})
echo $image_digest
echo "IMAGE_DIGEST=${image_digest}" >> $GITHUB_ENV
echo "digest=${image_digest}" >> $GITHUB_OUTPUT
echo "name=${REGISTRY}/${IMAGE_NAME}" >> $GITHUB_OUTPUT
- name: Sign image
run: |
cosign sign "${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST}"
echo "::notice title=Verify signature::COSIGN_EXPERIMENTAL=1 cosign verify ${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq '.[0]'"
echo "::notice title=Inspect signature bundle::COSIGN_EXPERIMENTAL=1 cosign verify ${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq '.[0].optional.Bundle.Payload.body |= @base64d | .[0].optional.Bundle.Payload.body | fromjson'"
echo "::notice title=Inspect certificate::COSIGN_EXPERIMENTAL=1 cosign verify ${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq -r '.[0].optional.Bundle.Payload.body |= @base64d | .[0].optional.Bundle.Payload.body | fromjson | .spec.signature.publicKey.content |= @base64d | .spec.signature.publicKey.content' | openssl x509 -text"
provenance:
needs: [sign]
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with:
image: ${{ needs.sign.outputs.image-name }}
digest: ${{ needs.sign.outputs.image-digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}