Switch should_sign to an output and add signing data

docker-library · Sep 23, 2024 · 6493476 · 6493476
1 parent 50813e2
commit 6493476
Showing 1 changed file with 15 additions and 7 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -24,7 +24,6 @@ run-name: '${{ inputs.bashbrewArch }}: ${{ inputs.firstTag }} (${{ inputs.buildI
 permissions:
   contents: read
   actions: write # for https://github.com/andymckay/cancel-action (see usage below)
-  id-token: write # for AWS KMS signing (see usage below)
 concurrency:
   group: ${{ github.event.inputs.buildId }}
   cancel-in-progress: false
@@ -34,9 +33,19 @@ defaults:
 env:
   BUILD_ID: ${{ inputs.buildId }}
   BASHBREW_ARCH: ${{ inputs.bashbrewArch }}
+
+  # the image we'll run to access the signing tool
+  # https://explore.ggcr.dev/?repo=docker/image-signer-verifier
+  IMAGE_SIGNER: 'docker/image-signer-verifier:0.6.3@sha256:d7930e03b48064b6c2d9f9c0421f65a5dacc6aba7d91b9d2e320d2976becfeac'
+
+  # Docker Hub repository we'll push the (signed) attestation artifacts to
+  REFERRERS_REPO: oisupport/referrers
 jobs:
   build:
     name: Build ${{ inputs.buildId }}
+    outputs:
+      shouldSign: ${{ steps.json.outputs.shouldSign }}
+      buildJson: ${{ steps.json.outputs.json }}
     runs-on: ${{ inputs.bashbrewArch == 'windows-amd64' && format('windows-{0}', inputs.windowsVersion) || 'ubuntu-latest' }}
     steps:
 
@@ -86,6 +95,7 @@ jobs:
           ".gha-bin/crane$ext" version
 
       - name: JSON
+        id: json
         run: |
           json="$(
             jq -L.scripts '
@@ -102,15 +112,13 @@ jobs:
             echo "json<<$EOJSON"
             cat <<<"$json"
             echo "$EOJSON"
-          } >> "$GITHUB_ENV"
+          } | tee -a "$GITHUB_ENV" "$GITHUB_OUTPUT" > /dev/null
 
           mkdir build
 
-          # TODO signing prototype -- starting very small
           shouldSign="$(jq <<<"$json" -L.scripts 'include "doi"; build_should_sign')"
           [ "$shouldSign" = 'true' ] || [ "$shouldSign" = 'false' ] || exit 1
-          echo "shouldSign=$shouldSign" >> "$GITHUB_ENV"
-
+          echo "shouldSign=$shouldSign" >> "$GITHUB_OUTPUT"
       - name: Check
         run: |
           img="$(jq <<<"$json" -r '.build.img')"
@@ -153,7 +161,7 @@ jobs:
 
       # TODO signing prototype (see above where "shouldSign" is populated)
       - name: Configure AWS (for signing)
-        if: env.shouldSign == 'true'
+        if: steps.json.outputs.shouldSign == 'true'
         # https://github.com/aws-actions/configure-aws-credentials/releases
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
@@ -162,7 +170,7 @@ jobs:
           role-to-assume: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_ROLE_ARN || secrets.AWS_KMS_STAGE_ROLE_ARN }}
           # TODO figure out if there's some way we could make our secrets ternaries here more DRY without major headaches 🙈
       - name: Sign
-        if: env.shouldSign == 'true'
+        if: steps.json.outputs.shouldSign == 'true'
         env:
           AWS_KMS_REGION:  ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_REGION  || secrets.AWS_KMS_STAGE_REGION }}
           AWS_KMS_KEY_ARN: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_KEY_ARN || secrets.AWS_KMS_STAGE_KEY_ARN }}