forked from badtuxx/giropops-senhas
-
-
Notifications
You must be signed in to change notification settings - Fork 1
102 lines (88 loc) · 3.42 KB
/
chainguard.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
jobs:
deploy:
runs-on: ubuntu-latest
steps:
# Passo 1: Checkout do código
- name: Checkout code
uses: actions/checkout@v3
# Passo 2: Configurar Docker Buildx
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
# Passo 3: Instalar Melange
- name: Install Melange
run: |
wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz
tar -xzf melange_0.11.2_linux_386.tar.gz
sudo mv melange /usr/local/bin/
melange version
# Passo 4: Instalar APKO
- name: Install APKO
run: |
wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz
tar -xzf apko_0.14.7_linux_386.tar.gz
sudo mv apko /usr/local/bin/
apko version
# Passo 5: Gerar chaves com Melange
- name: Generate keys with Melange
run: |
cd chainguard
melange keygen
# Passo 6: Construir pacotes com Melange
- name: Build packages with Melange
run: |
cd chainguard
melange build melange.yaml --runner docker --signing-key melange.rsa --arch amd64
# Passo 7: Construir imagem de container com APKO
- name: Build container image with APKO
run: |
cd chainguard
apko build apko.yaml senhas senhas.tar -k melange.rsa.pub --arch amd64
# Passo 8: Carregar a imagem Docker
- name: Load Docker image
run: |
docker load < senhas.tar
docker images
# Passo 9: Fazer login no DockerHub
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Passo 10: Gerar nome único para a tag
- name: Gerar nome único para a tag
id: generate-tag
run: |
SHORT_HASH=$(git log -1 --pretty=format:%h | cut -c1-5)
TIMESTAMP=$(date +%Y%m%d%H%M%S)
echo "tag=${SHORT_HASH}-${TIMESTAMP}" >> $GITHUB_ENV
echo "::set-output name=tag::${SHORT_HASH}-${TIMESTAMP}"
# Passo 11: Fazer push da imagem Docker
- name: Fazer push da imagem Docker
run: |
docker tag senhas:latest-amd64 ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }}
docker push ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }}
# Passo 12: Scan de segurança com Trivy
- name: Aqua Security Trivy
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: nataliagranato/linuxtips-giropops-senhas:${{ steps.generate-tag.outputs.tag }}
format: 'sarif'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
output: 'trivy-results.sarif'
- name: Fazer upload dos resultados do Trivy para a aba de Segurança do GitHub
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Assinar imagem com uma chave
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key env://COSIGN_PRIVATE_KEY $images
env:
TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.<load-images>.outputs.digest }}