Skip to content

Commit

Permalink
Switch should_sign to an output and add signing data
Browse files Browse the repository at this point in the history
  • Loading branch information
LaurentGoderre committed Sep 13, 2024
1 parent 50813e2 commit 94baf26
Showing 1 changed file with 24 additions and 5 deletions.
29 changes: 24 additions & 5 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ run-name: '${{ inputs.bashbrewArch }}: ${{ inputs.firstTag }} (${{ inputs.buildI
permissions:
contents: read
actions: write # for https://github.com/andymckay/cancel-action (see usage below)
id-token: write # for AWS KMS signing (see usage below)
concurrency:
group: ${{ github.event.inputs.buildId }}
cancel-in-progress: false
Expand All @@ -34,9 +33,20 @@ defaults:
env:
BUILD_ID: ${{ inputs.buildId }}
BASHBREW_ARCH: ${{ inputs.bashbrewArch }}

# the image we'll run to access the signing tool
# https://explore.ggcr.dev/?repo=docker/image-signer-verifier
IMAGE_SIGNER: 'docker/image-signer-verifier:0.6.0@sha256:81f1ba7d3add2d0e9640d58b059ef0435327f68fc104aca4a685e8c0042e0ed6'

# Docker Hub repository we'll push the (signed) attestation artifacts to
REFERRERS_REPO: oisupport/referrers
jobs:
build:
name: Build ${{ inputs.buildId }}
outputs:
shouldSign: ${{ steps.json.outputs.shouldSign }}
tags: ${{ steps.json.outputs.tags }}
platformString: ${{ steps.json.outputs.platformString }}
runs-on: ${{ inputs.bashbrewArch == 'windows-amd64' && format('windows-{0}', inputs.windowsVersion) || 'ubuntu-latest' }}
steps:

Expand Down Expand Up @@ -86,6 +96,7 @@ jobs:
".gha-bin/crane$ext" version
- name: JSON
id: json
run: |
json="$(
jq -L.scripts '
Expand All @@ -106,11 +117,19 @@ jobs:
mkdir build
# TODO signing prototype -- starting very small
shouldSign="$(jq <<<"$json" -L.scripts 'include "doi"; build_should_sign')"
[ "$shouldSign" = 'true' ] || [ "$shouldSign" = 'false' ] || exit 1
echo "shouldSign=$shouldSign" >> "$GITHUB_ENV"
echo "shouldSign=$shouldSign" >> "$GITHUB_OUTPUT"
if [ "$shouldSign" = 'true' ]; then
tags=$(jq <<<"$json" -L.scripts 'include "provenance"; [ tags ]')
echo 'tags<<EOF' >> $GITHUB_OUTPUT
echo "$tags" >> $GITHUB_OUTPUT
echo 'EOF' >> $GITHUB_OUTPUT
platformString="$(jq <<<"$json" -L.scripts 'include "provenance"; platform_string')"
echo "platformString=$platformString" >> "$GITHUB_OUTPUT"
fi
- name: Check
run: |
img="$(jq <<<"$json" -r '.build.img')"
Expand Down Expand Up @@ -153,7 +172,7 @@ jobs:
# TODO signing prototype (see above where "shouldSign" is populated)
- name: Configure AWS (for signing)
if: env.shouldSign == 'true'
if: steps.json.outputs.shouldSign == 'true'
# https://github.com/aws-actions/configure-aws-credentials/releases
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
Expand All @@ -162,7 +181,7 @@ jobs:
role-to-assume: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_ROLE_ARN || secrets.AWS_KMS_STAGE_ROLE_ARN }}
# TODO figure out if there's some way we could make our secrets ternaries here more DRY without major headaches 🙈
- name: Sign
if: env.shouldSign == 'true'
if: steps.json.outputs.shouldSign == 'true'
env:
AWS_KMS_REGION: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_REGION || secrets.AWS_KMS_STAGE_REGION }}
AWS_KMS_KEY_ARN: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_KEY_ARN || secrets.AWS_KMS_STAGE_KEY_ARN }}
Expand Down

0 comments on commit 94baf26

Please sign in to comment.