refactor GH action yaml to reduce yaml #121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish and Sign Container Image | |
| on: | |
| schedule: | |
| - cron: '32 11 * * *' | |
| push: | |
| branches: [ main ] | |
| # Publish semver tags as releases. | |
| tags: [ 'v*.*.*' ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| - name: Install cosign | |
| uses: sigstore/[email protected] | |
| - name: Check install! | |
| run: cosign version | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Log into ghcr.io | |
| uses: docker/login-action@master | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push container image | |
| id: push-step | |
| uses: docker/build-push-action@master | |
| with: | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}:latest | |
| - name: Sign the images with GitHub OIDC Token | |
| env: | |
| DIGEST: ${{ steps.push-step.outputs.digest }} | |
| TAGS: ghcr.io/${{ github.repository }} | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| echo "dont sign image" | |
| cosign sign --yes "${TAGS}@${DIGEST}" | |
| - name: (optional) Verify the images | |
| run: | | |
| cosign verify ghcr.io/whoissqr/cg-test-keyless-sign \ | |
| --certificate-identity https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq | |
| - name: Create k3s cluster | |
| uses: debianmaster/actions-k3s@master | |
| id: k3s | |
| with: | |
| version: 'latest' | |
| - name: (optional) Install Kyverno CLI | |
| uses: kyverno/[email protected] | |
| with: | |
| release: 'v1.9.5' | |
| - name: (optional) Verify policy using Kyverno CLI | |
| run: | | |
| kyverno version | |
| kyverno apply ./k3s/policy-check-image-keyless.yaml --cluster -v 10 | |
| - name: Install Kyverno and apply policy | |
| run: | | |
| helm repo add kyverno https://kyverno.github.io/kyverno/ | |
| helm repo update | |
| helm install kyverno kyverno/kyverno -n kyverno --create-namespace | |
| kubectl apply -f ./k3s/policy-check-image-keyless.yaml | |
| - name: Deploy pod to k3s | |
| run: | | |
| set -x | |
| kubectl create ns app | |
| sleep 10 | |
| kubectl apply -f ./k3s/pod.yaml | |
| kubectl -n app wait --for=condition=Ready pod/cg | |
| kubectl get pods -n app | |
| # kubectl -n app describe pod cg | |
| # kubectl get polr -o wide | |