Skip to content
.github/workflows/build.yml

Merge pull request #10 from jedsalazar/pr/jed/github-token-lp #35

Sign in to view logs

Merge pull request #10 from jedsalazar/pr/jed/github-token-lp

Merge pull request #10 from jedsalazar/pr/jed/github-token-lp #35

Workflow file for this run

.github/workflows/build.yml at ee92e84
on:
push:
branches:
- main
workflow_dispatch: {}
env:
IMAGE_REPO: ghcr.io/${{ github.repository }}/wolfi-act-test
APKO_CONFIG: https://raw.githubusercontent.com/chainguard-images/images/main/images/maven/config/template.apko.yaml
GHCR_USER: ${{ github.repository_owner }}
GHCR_PASS: ${{ github.token }}
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for GitHub OIDC Token
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Build, sign, inspect an image using wolfi-act
uses: wolfi-dev/wolfi-act@c7bc05c8af23bca710b267e0db3b39c939eb7b02 # main
with:
packages: curl,apko,cosign,crane,grype,trivy
command: |
set -x
# Download an apko config file
curl -L -o apko.yaml "${APKO_CONFIG}"
# Login to GHCR
crane auth login ghcr.io -u "${GHCR_USER}" -p "${GHCR_PASS}"
# Publish image using apko
apko publish apko.yaml "${IMAGE_REPO}" \
--repository-append=https://packages.wolfi.dev/os \
--keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \
--package-append=wolfi-baselayout,maven,openjdk-17,openjdk-17-default-jvm \
--arch=x86_64,aarch64 \
--image-refs=apko.images.txt | tee apko.index.txt
index_digest="$(cat apko.index.txt)"
# Sign image with cosign
cosign sign --yes $(cat apko.images.txt)
# Scan image with grype and trivy
grype "${index_digest}"
trivy image "${index_digest}"
# Tag image using crane
crane cp "${index_digest}" "${IMAGE_REPO}:latest"
- name: Make sure the image runs
run: |
set -x
docker run --rm -e JAVA_HOME=/usr/lib/jvm/java-17-openjdk "${IMAGE_REPO}:latest" --version