Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

slsa keyless

slsa keyless #134

name: slsa keyless
on:
workflow_run:
workflows: [Salsa build & release]
types: [completed]
branches: [main]
env:
IMAGE: ttl.sh/nais/salsa-keyless-test:1h
jobs:
on-failure:
runs-on: ubuntu-20.04
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
steps:
- run: echo 'The triggering workflow failed' && exit 1
keyless:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-20.04
steps:
- name: Checkout Code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # ratchet:actions/checkout@v3
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # ratchet:google-github-actions/auth@v1.1.0
id: google
with:
workload_identity_provider: ${{ secrets.SLSA_WORKLOAD_IDENTITY_PROVIDER }}
service_account: cosign-keyless@plattformsikkerhet-dev-496e.iam.gserviceaccount.com
token_format: "id_token"
id_token_audience: sigstore
id_token_include_email: true
- name: Build and push
id: docker
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # ratchet:docker/build-push-action@v4
with:
context: integration-test
push: true
tags: ${{ env.IMAGE }}
- name: Generate provenance, sign and upload image
uses: ./
with:
image_digest: ${{ steps.docker.outputs.digest }}
registry: ttl.sh
identity_token: ${{ steps.google.outputs.id_token }}
env:
COSIGN_EXPERIMENTAL: "true"