add 'failurePolicy: Fail' to policy #117
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish and Sign Container Image | |
| on: | |
| schedule: | |
| - cron: '32 11 * * *' | |
| push: | |
| branches: [ main ] | |
| # Publish semver tags as releases. | |
| tags: [ 'v*.*.*' ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| - name: Install cosign | |
| uses: sigstore/[email protected] | |
| - name: Check install! | |
| run: cosign version | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Log into ghcr.io | |
| uses: docker/login-action@master | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push container image | |
| id: push-step | |
| uses: docker/build-push-action@master | |
| with: | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}:latest | |
| - name: Sign the images with GitHub OIDC Token | |
| env: | |
| DIGEST: ${{ steps.push-step.outputs.digest }} | |
| TAGS: ghcr.io/${{ github.repository }} | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| echo "dont sign image" | |
| # cosign sign --yes "${TAGS}@${DIGEST}" | |
| - name: Verify the images | |
| run: | | |
| cosign verify ghcr.io/whoissqr/cg-test-keyless-sign \ | |
| --certificate-identity https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq | |
| - name: Create k3s cluster | |
| uses: debianmaster/actions-k3s@master | |
| id: k3s | |
| with: | |
| version: 'latest' | |
| - name: Install Kyverno chart | |
| run: | | |
| helm repo add kyverno https://kyverno.github.io/kyverno/ | |
| helm repo update | |
| helm install kyverno kyverno/kyverno -n kyverno --create-namespace | |
| - name: Apply image attestation policy | |
| run: | | |
| kubectl apply -f ./k3s/policy-check-image-keyless.yaml | |
| - name: Deploy pod to k3s | |
| run: | | |
| set -x | |
| # kubectl get nodes | |
| kubectl create ns app | |
| sleep 20 | |
| # kubectl get pods -n app | |
| kubectl apply -f ./k3s/pod.yaml | |
| kubectl -n app wait --for=condition=Ready pod/cg | |
| kubectl get pods -n app | |
| kubectl -n app describe pod cg | |
| kubectl get polr -o wide | |
| - name: Install Kyverno CLI | |
| uses: kyverno/[email protected] | |
| with: | |
| release: 'v1.9.5' | |
| - name: Check policy using Kyverno CLI | |
| run: | | |
| kyverno version | |
| kyverno apply ./k3s/policy-check-image-keyless.yaml --cluster -v 10 |