Skip to content

Commit

Permalink
polish the readme
Browse files Browse the repository at this point in the history
Signed-off-by: Josh Dolitsky <[email protected]>
  • Loading branch information
jdolitsky committed Jul 17, 2023
1 parent 983cfe7 commit 88d31b7
Showing 1 changed file with 84 additions and 6 deletions.
90 changes: 84 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,93 @@
# wolfi-act
Dynamic GitHub Actions from Wolfi packages
Dynamic GitHub Actions from [Wolfi](https://wolfi.dev/) packages

Never worry again about installing your favorite tools using upstream "installer"
actions or whatever is available in GitHub via `apt-get`.

This action builds an emphermeral container image from the latest Wolfi packages
and runs your command inside of it.

## Usage

For example, run a grype scan:
Pass in `packages` with a comma-separated list of packages available in
Wolfi, along with a `command` you wish to run.

For example, run a grype and trivy scan on an image:

```yaml
- uses: jdolitsky/wolfi-act@main
with:
packages: grype
command: grype cgr.dev/chainguard/nginx
with:
packages: grype,trivy
command: |
grype cgr.dev/chainguard/nginx
trivy image cgr.dev/chainguard/nginx
```
TODO: pass in the github env
Here's a full Github Actions workflow example which does the following (source [here](./.github/workflows/build.yml)):
1. Installs tools: `curl`, `apko`, `cosign`, `crane`, `grype`, `trivy`
2. Downloads an apko config file using `curl`
3. Logs into GHCR using `crane`
4. Publishes a container image using `apko`
5. Signs the image using `cosign`
6. Scans the image with `grype` and `trivy`
7. Tags the image using `crane`
8. Ensure that the tagged image runs using `docker`

```yaml
on:
push:
branches:
- main
workflow_dispatch: {}
env:
IMAGE_REPO: ghcr.io/${{ github.repository }}/wolfi-act-test
APKO_CONFIG: https://raw.githubusercontent.com/chainguard-images/images/main/images/maven/configs/openjdk-17.apko.yaml
GHCR_USER: ${{ github.repository_owner }}
GHCR_PASS: ${{ github.token }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for GitHub OIDC Token
steps:
- name: Build, sign, inspect an image using wolfi-act
uses: jdolitsky/wolfi-act@main
with:
packages: curl,apko,cosign,crane,grype,trivy
command: |
set -x
# Download an apko config file
curl -L -o apko.yaml "${APKO_CONFIG}"
# Login to GHCR
crane auth login ghcr.io -u "${GHCR_USER}" -p "${GHCR_PASS}"
# Publish image using apko
apko publish apko.yaml "${IMAGE_REPO}" \
--repository-append=https://packages.wolfi.dev/os \
--keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \
--package-append=wolfi-baselayout \
--arch=x86_64,aarch64 \
--image-refs=apko.images.txt | tee apko.index.txt
index_digest="$(cat apko.index.txt)"
# Sign image with cosign
cosign sign --yes $(cat apko.images.txt)
# Scan image with grype and trivy
grype "${index_digest}"
trivy image "${index_digest}"
# Tag image using crane
crane cp "${index_digest}" "${IMAGE_REPO}:latest"
- name: Make sure the image runs
run: |
set -x
docker run --rm "${IMAGE_REPO}:latest" --version
```

0 comments on commit 88d31b7

Please sign in to comment.