Merge pull request #2 from wolfi-dev/cleanup #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: {} | |
env: | |
IMAGE_REPO: ghcr.io/${{ github.repository }}/wolfi-act-test | |
APKO_CONFIG: https://raw.githubusercontent.com/chainguard-images/images/main/images/maven/config/template.apko.yaml | |
GHCR_USER: ${{ github.repository_owner }} | |
GHCR_PASS: ${{ github.token }} | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write # needed for GitHub OIDC Token | |
steps: | |
- name: Build, sign, inspect an image using wolfi-act | |
uses: wolfi-dev/wolfi-act@main | |
with: | |
packages: curl,apko,cosign,crane,grype,trivy | |
command: | | |
set -x | |
# Download an apko config file | |
curl -L -o apko.yaml "${APKO_CONFIG}" | |
# Login to GHCR | |
crane auth login ghcr.io -u "${GHCR_USER}" -p "${GHCR_PASS}" | |
# Publish image using apko | |
apko publish apko.yaml "${IMAGE_REPO}" \ | |
--repository-append=https://packages.wolfi.dev/os \ | |
--keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ | |
--package-append=wolfi-baselayout,maven,openjdk-17,openjdk-17-default-jvm \ | |
--arch=x86_64,aarch64 \ | |
--image-refs=apko.images.txt | tee apko.index.txt | |
index_digest="$(cat apko.index.txt)" | |
# Sign image with cosign | |
cosign sign --yes $(cat apko.images.txt) | |
# Scan image with grype and trivy | |
grype "${index_digest}" | |
trivy image "${index_digest}" | |
# Tag image using crane | |
crane cp "${index_digest}" "${IMAGE_REPO}:latest" | |
- name: Make sure the image runs | |
run: | | |
set -x | |
docker run --rm -e JAVA_HOME=/usr/lib/jvm/java-17-openjdk "${IMAGE_REPO}:latest" --version |