This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
nais Salsa integration #110
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: nais Salsa integration | |
| on: | |
| workflow_run: | |
| workflows: [Salsa build & release] | |
| types: [completed] | |
| branches: [main] | |
| env: | |
| IMAGE: ttl.sh/nais/salsa-integration-test:1h | |
| jobs: | |
| on-failure: | |
| runs-on: ubuntu-20.04 | |
| if: ${{ github.event.workflow_run.conclusion == 'failure' }} | |
| steps: | |
| - run: echo 'The triggering workflow failed' && exit 1 | |
| on-success-generate-provenance: | |
| runs-on: ubuntu-20.04 | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| steps: | |
| - run: echo 'The triggering workflow passed' | |
| - name: Checkout Code | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # ratchet:actions/checkout@v3 | |
| # For demonstration purpose | |
| # Credentials needed to authenticate to google kms and sign image. | |
| - name: Authenticate to Google Cloud | |
| id: google | |
| uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # ratchet:google-github-actions/auth@v0 | |
| with: | |
| credentials_json: ${{ secrets.SALSA_CREDENTIALS }} | |
| # For demonstration purpose | |
| - name: Build and push | |
| id: docker | |
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # ratchet:docker/build-push-action@v4 | |
| with: | |
| context: integration-test | |
| push: true | |
| tags: ${{ env.IMAGE }} | |
| # Added to a workflow | |
| - name: Generate provenance, sign and upload image | |
| id: salsa | |
| # nais/salsa@v... | |
| uses: ./ | |
| with: | |
| registry: ttl.sh | |
| image_digest: ${{ steps.docker.outputs.digest }} | |
| key: ${{ secrets.SALSA_KMS_KEY }} | |
| # For demonstration purpose | |
| - name: Upload provenance | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # ratchet:actions/upload-artifact@v3 | |
| with: | |
| path: |- | |
| ./${{ steps.salsa.outputs.provenance_file_path }} | |
| ./${{ steps.salsa.outputs.raw_file_path }} |