Skip to content

Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 #50

Bump sigstore/cosign-installer from 3.1.2 to 3.2.0

Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 #50

name: Build and publish Docker images
on:
push:
branches:
- c7-php80
- c7-php81
workflow_dispatch:
permissions:
contents: read
packages: write
env:
IMAGE_NAME: tuleap-test-rest
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Get lowercase base image name
run: echo BASE_IMAGE_NAME="$(echo ${{ github.repository_owner }} | tr '[A-Z]' '[a-z]')" >> $GITHUB_ENV
- name: Build image
run: docker build -t ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${GITHUB_REF#refs/heads/} --label revision=${{ github.sha }} --label workflow_run_id=${{ github.run_id }} .
- name: Log into ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # tag=v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # tag=v3.2.0
- name: Publish image
run: docker push ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${GITHUB_REF#refs/heads/}
- name: Sign image
env:
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: |
export VAULT_TOKEN=$(curl "$VAULT_ADDR"/v1/auth/approle/login --silent --fail -X POST --data '{"role_id": "${{ secrets.VAULT_ROLE_ID_SIGNING }}", "secret_id": "${{ secrets.VAULT_SECRET_ID_SIGNING }}"}' | jq -r '.auth.client_token')
cosign sign --yes --tlog-upload=true --key hashivault://tuleap-additional-tools-signing "$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${GITHUB_REF#refs/heads/})"