Switch should_sign to an output and add signing data

docker-library · Sep 17, 2024 · e3dcacb · e3dcacb
1 parent 50813e2
commit e3dcacb
Showing 1 changed file with 27 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -24,7 +24,6 @@ run-name: '${{ inputs.bashbrewArch }}: ${{ inputs.firstTag }} (${{ inputs.buildI
 permissions:
   contents: read
   actions: write # for https://github.com/andymckay/cancel-action (see usage below)
-  id-token: write # for AWS KMS signing (see usage below)
 concurrency:
   group: ${{ github.event.inputs.buildId }}
   cancel-in-progress: false
@@ -34,9 +33,20 @@ defaults:
 env:
   BUILD_ID: ${{ inputs.buildId }}
   BASHBREW_ARCH: ${{ inputs.bashbrewArch }}
+
+  # the image we'll run to access the signing tool
+  # https://explore.ggcr.dev/?repo=docker/image-signer-verifier
+  IMAGE_SIGNER: 'docker/image-signer-verifier:0.6.0@sha256:81f1ba7d3add2d0e9640d58b059ef0435327f68fc104aca4a685e8c0042e0ed6'
+
+  # Docker Hub repository we'll push the (signed) attestation artifacts to
+  REFERRERS_REPO: oisupport/referrers
 jobs:
   build:
     name: Build ${{ inputs.buildId }}
+    outputs:
+      shouldSign: ${{ steps.json.outputs.shouldSign }}
+      tags: ${{ steps.json.outputs.tags }}
+      platformString: ${{ steps.json.outputs.platformString }}
     runs-on: ${{ inputs.bashbrewArch == 'windows-amd64' && format('windows-{0}', inputs.windowsVersion) || 'ubuntu-latest' }}
     steps:
 
@@ -86,6 +96,7 @@ jobs:
           ".gha-bin/crane$ext" version
 
       - name: JSON
+        id: json
         run: |
           json="$(
             jq -L.scripts '
@@ -106,11 +117,21 @@ jobs:
 
           mkdir build
 
-          # TODO signing prototype -- starting very small
           shouldSign="$(jq <<<"$json" -L.scripts 'include "doi"; build_should_sign')"
           [ "$shouldSign" = 'true' ] || [ "$shouldSign" = 'false' ] || exit 1
-          echo "shouldSign=$shouldSign" >> "$GITHUB_ENV"
-
+          echo "shouldSign=$shouldSign" >> "$GITHUB_OUTPUT"
+
+          if [ "$shouldSign" = 'true' ]; then
+            tags=$(jq <<<"$json" -L.scripts 'include "provenance"; tags')
+            {
+              echo 'tags<<EOF'
+              echo "$tags"
+              echo EOF
+            } >> "$GITHUB_OUTPUT"
+
+            platformString="$(jq <<<"$json" -L.scripts 'include "provenance"; platform_string')"
+            echo "platformString=$platformString" >> "$GITHUB_OUTPUT"
+          fi
       - name: Check
         run: |
           img="$(jq <<<"$json" -r '.build.img')"
@@ -153,7 +174,7 @@ jobs:
 
       # TODO signing prototype (see above where "shouldSign" is populated)
       - name: Configure AWS (for signing)
-        if: env.shouldSign == 'true'
+        if: steps.json.outputs.shouldSign == 'true'
         # https://github.com/aws-actions/configure-aws-credentials/releases
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
@@ -162,7 +183,7 @@ jobs:
           role-to-assume: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_ROLE_ARN || secrets.AWS_KMS_STAGE_ROLE_ARN }}
           # TODO figure out if there's some way we could make our secrets ternaries here more DRY without major headaches 🙈
       - name: Sign
-        if: env.shouldSign == 'true'
+        if: steps.json.outputs.shouldSign == 'true'
         env:
           AWS_KMS_REGION:  ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_REGION  || secrets.AWS_KMS_STAGE_REGION }}
           AWS_KMS_KEY_ARN: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_KEY_ARN || secrets.AWS_KMS_STAGE_KEY_ARN }}