diff --git a/.github/workflows/publish_map.yml b/.github/workflows/publish_map.yml index 5fc67d6..73e0d18 100644 --- a/.github/workflows/publish_map.yml +++ b/.github/workflows/publish_map.yml @@ -9,6 +9,11 @@ on: jobs: build: + permissions: + contents: read + packages: write + id-token: write + runs-on: ${{ matrix.os }} strategy: @@ -53,7 +58,41 @@ jobs: monai-deploy package app --base nvcr.io/nvidia/pytorch:22.08-py3 --tag map-init:temp -l DEBUG docker images docker build --build-arg INIT_CONTAINER=map-init:temp -t map-final:temp app + echo "IMAGE_DIGEST=$(docker images --no-trunc -q map-final:temp)" >> $GITHUB_ENV docker images monai-deploy run map tests/data/rtstructwriter/dcm tests/data/output ls tests/data/output - if test -f "tests/data/output/output-rt-struct.dcm"; then echo "Output RT Struct exists."; fi \ No newline at end of file + if test -f "tests/data/output/output-rt-struct.dcm"; then echo "Output RT Struct exists."; fi + + - name: Build Software Build of Materials + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.IMAGE_DIGEST }} + format: spdx-json + output: sbom.spdx.json + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Tag Docker image + run: docker tag map-final:temp ghcr.io/${{ github.repository }}/map-final:temp + + - name: Push Docker image + run: docker push ghcr.io/${{ github.repository }}/map-final:temp + + - name: Install sigstore cosign + uses: sigstore/cosign-installer@main + + - name: Sign image + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }} + + - name: Sign attestations + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign attest --yes --type spdx --predicate sbom.spdx.json ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }}