Skip to content
build-feature-branch

Added demo script for KubeCon EU 2024 #114

Sign in to view logs

Added demo script for KubeCon EU 2024

Added demo script for KubeCon EU 2024 #114

Workflow file for this run

.github/workflows/build-feature.yaml at 64e4197
name: build-feature-branch
on:
# Triggers only for the feature/ branches
push:
branches: [ 'feature/**' ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
name: build
runs-on: ubuntu-latest
environment: development
steps:
- uses: actions/checkout@v3
- name: Install ORAS
run: |
curl -LO https://github.com/oras-project/oras/releases/download/v0.2.1-alpha.1/oras_0.2.1-alpha.1_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_0.2.*.tar.gz -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf oras_0.2.*.tar.gz oras-install/
- name: Build Docker Image
run: docker build . --file Dockerfile --tag ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d')
- name: Get Docker Content Manifest
run: docker inspect ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') > inspect.json
- name: Prepare Python Environment
run: pip install -r ./utils/requirements.txt
- name: Annotate Layers
run: |
python ./utils/layer_annotate.py \
-d ./Dockerfile \
-c ./inspect.json \
-o ${{ github.actor }} \
-s ${{ github.sha }} \
-r ${{ github.repository }} \
-f ./ownership.json
- name: Print Layer Annotations
run: cat ./ownership.json
- name: Login to the Container Registry
uses: azure/docker-login@v1
with:
login-server: ${{ secrets.ACR_LOGIN_SERVER }}
username: ${{ secrets.ACR_CLIENT_ID }}
password: ${{ secrets.ACR_CLIENT_SECRET }}
- name: Push Image to ACR
run: docker push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d')
- name: Push Ownership to the Registry
run: |
oras push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample \
--artifact-type 'application/ownership+json' \
--subject ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') \
./ownership.json:application/json
provenance:
name: provenance
runs-on: ubuntu-latest
needs: [build]
environment: development
steps:
- name: Install Skopeo
run: sudo apt-get update && sudo apt-get -y install skopeo
- name: Install ORAS
run: |
curl -LO https://github.com/oras-project/oras/releases/download/v0.2.1-alpha.1/oras_0.2.1-alpha.1_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_0.2.*.tar.gz -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf oras_0.2.*.tar.gz oras-install/
- name: Login to the Container Registry
uses: azure/docker-login@v1
with:
login-server: ${{ secrets.ACR_LOGIN_SERVER }}
username: ${{ secrets.ACR_CLIENT_ID }}
password: ${{ secrets.ACR_CLIENT_SECRET }}
- name: Get Image Digest
id: get_image_digest
run: |
echo ::set-output name=docker_digest::$(skopeo inspect docker://${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') | jq .Digest)
- name: Generate SLSA Provenance for Container
uses: philips-labs/slsa-provenance-action@v0.7.2
with:
command: generate
subcommand: container
arguments: --repository ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample --output-path ./provenance.json --digest ${{ steps.get_image_digest.outputs.docker_digest }} --tags "$(date +'%Y-%m-%d')"
- name: Print Provenance Details
run: |
cat ./provenance.json
- name: Generate Annotation File
run: |
echo \
'''{
"$manifest": {
"io.azurecr.image.author": "${{ github.actor }}",
"io.azurecr.image.commit-sha": "${{ github.sha }}",
"io.azurecr.image.repository": "${{ github.repository }}"
}
}''' > ./annotations.json
- name: Push SLSA Provenance to the Registry
run: |
oras push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample \
--artifact-type 'application/slsa+json' \
--subject ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') \
--manifest-annotations ./annotations.json \
./provenance.json:application/json