forked from badtuxx/giropops-senhas
-
-
Notifications
You must be signed in to change notification settings - Fork 1
144 lines (122 loc) · 4.39 KB
/
chainguard.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Build e Distribuição de Pacotes com Melange e APKO
on:
push:
branches:
- 'main'
jobs:
build:
name: Build e Distribuição de Pacotes
runs-on: ubuntu-20.04
permissions:
actions: read
contents: read
security-events: write
steps:
# Checkout do código
- name: Checkout code
uses: actions/checkout@v3
# Configurar Docker Buildx
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
# Instalar Melange
- name: Install Melange
run: |
wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz
tar -xzf melange_0.11.2_linux_386.tar.gz
cd melange_0.11.2_linux_386
sudo mv melange /usr/local/bin/
melange version
# Instalar APKO
- name: Install APKO
run: |
wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz
tar -xzf apko_0.14.7_linux_386.tar.gz
cd apko_0.14.7_linux_386
sudo mv apko /usr/local/bin/
apko version
# Instalar Cosign
- name: Instalar Cosign
uses: sigstore/cosign-installer@v3.6.0
# Gerar chaves com Melange
- name: Generate keys with Melange
run: |
cd chainguard
melange keygen
# Construir pacotes com Melange
- name: Build packages with Melange
run: |
cd chainguard
melange build melange.yaml --runner docker --signing-key melange.rsa --arch amd64
# Construir imagem de container com APKO
- name: Build container image with APKO
run: |
cd chainguard
apko build apko.yaml senhas senhas.tar -k melange.rsa.pub --arch amd64
# Login no DockerHub
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Load da imagem Docker
- name: Load Docker image
run: |
cd chainguard
docker load < senhas.tar
docker images
# Extrair metadados (tags, labels) para Docker
- name: Extrair metadados (tags, labels) para Docker
id: meta
uses: docker/metadata-action@v5
with:
images: nataliagranato/senhas
# Gerar nome único para a tag
- name: Gerar nome único para a tag
id: generate-tag
run: |
# Obtém os primeiros 5 dígitos do hash do commit e a data
SHORT_HASH=$(git log -1 --pretty=format:%h | cut -c1-5)
TIMESTAMP=$(date +%Y%m%d%H%M%S)
echo "tag=${SHORT_HASH}-${TIMESTAMP}" >> $GITHUB_ENV
echo "::set-output name=tag::${SHORT_HASH}-${TIMESTAMP}"
# Fazer push da imagem Docker
- name: Push Docker image
id: push-docker-image
run: |
docker tag senhas:latest-amd64 ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }}
docker push ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }}
# Scan de segurança com Aqua Security Trivy
- name: Aqua Security Trivy
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: nataliagranato/senhas:${{ steps.generate-tag.outputs.tag }}
format: 'sarif'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
output: 'trivy-results.sarif'
# Envio dos resultados do Trivy para a aba de Segurança do GitHub
- name: Fazer upload dos resultados do Trivy para a aba de Segurança do GitHub
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
# Assinar imagem com o Cosign
- name: Assinar imagem com uma chave
run: |
if [ -z "${TAGS}" ] || [ -z "${DIGEST}" ]; then
echo "Erro: TAGS ou DIGEST não estão definidos."
exit 1
fi
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
if [ -z "$images" ]; then
echo "Erro: Nenhuma imagem para assinar."
exit 1
fi
cosign sign --yes --key env://COSIGN_PRIVATE_KEY $images
env:
TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.push-docker-image.outputs.digest }}