|
| 1 | +name: Build Nix OCI Image |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_call: |
| 5 | + inputs: |
| 6 | + nix-target: |
| 7 | + description: 'Nix flake build target (e.g. devguardOCI)' |
| 8 | + required: true |
| 9 | + type: string |
| 10 | + image-name: |
| 11 | + description: 'Full OCI image name without tag (e.g. ghcr.io/l3montree-dev/devguard/scanner)' |
| 12 | + required: true |
| 13 | + type: string |
| 14 | + artifact-name-suffix: |
| 15 | + description: 'Suffix appended to artifact names to avoid conflicts when building multiple images in the same workflow' |
| 16 | + required: false |
| 17 | + type: string |
| 18 | + default: '' |
| 19 | + asset-name: |
| 20 | + description: 'DevGuard asset name for supply chain tracking' |
| 21 | + required: true |
| 22 | + type: string |
| 23 | + api-url: |
| 24 | + description: 'DevGuard API URL' |
| 25 | + required: false |
| 26 | + type: string |
| 27 | + default: 'https://api.devguard.org' |
| 28 | + secrets: |
| 29 | + devguard-token: |
| 30 | + required: false |
| 31 | + outputs: |
| 32 | + image-tag: |
| 33 | + description: 'Full image tag of the built image' |
| 34 | + value: ${{ jobs.build.outputs.image-tag }} |
| 35 | + image-digest: |
| 36 | + description: 'Digest of the built image' |
| 37 | + value: ${{ jobs.build.outputs.image-digest }} |
| 38 | + artifact-purl: |
| 39 | + description: 'Package URL (PURL) of the built artifact' |
| 40 | + value: ${{ jobs.build.outputs.artifact-purl }} |
| 41 | + |
| 42 | +jobs: |
| 43 | + build: |
| 44 | + runs-on: ubuntu-latest |
| 45 | + outputs: |
| 46 | + image-tag: ${{ steps.set-image-tag.outputs.image_tag }} |
| 47 | + image-digest: ${{ steps.get-digest.outputs.digest }} |
| 48 | + artifact-purl: ${{ steps.set-purl.outputs.purl }} |
| 49 | + steps: |
| 50 | + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0 |
| 51 | + with: |
| 52 | + fetch-depth: 0 # needed for flake.nix to resolve self.shortRev |
| 53 | + persist-credentials: false |
| 54 | + |
| 55 | + - name: In-Toto Provenance record start |
| 56 | + uses: docker://ghcr.io/l3montree-dev/devguard/scanner:v1.0.0 |
| 57 | + with: |
| 58 | + args: devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} |
| 59 | + continue-on-error: true |
| 60 | + |
| 61 | + - uses: cachix/install-nix-action@v31 |
| 62 | + with: |
| 63 | + extra_nix_config: | |
| 64 | + experimental-features = nix-command flakes |
| 65 | +
|
| 66 | + - uses: imjasonh/setup-crane@v0.1 |
| 67 | + |
| 68 | + - name: Build OCI image with Nix |
| 69 | + run: nix build .#${{ inputs.nix-target }} |
| 70 | + |
| 71 | + - name: Prepare image.tar |
| 72 | + run: gunzip -c "$(readlink -f result)" > image.tar |
| 73 | + |
| 74 | + - name: Get image digest |
| 75 | + id: get-digest |
| 76 | + run: | |
| 77 | + crane digest --tarball=image.tar > image-digest.txt |
| 78 | + echo "digest=$(cat image-digest.txt)" >> $GITHUB_OUTPUT |
| 79 | +
|
| 80 | + - name: Upload oci-image artifact |
| 81 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 |
| 82 | + with: |
| 83 | + name: oci-image${{ inputs.artifact-name-suffix }} |
| 84 | + path: image.tar |
| 85 | + |
| 86 | + - name: Set image tag |
| 87 | + id: set-image-tag |
| 88 | + run: | |
| 89 | + if [[ "${GITHUB_REF}" == refs/tags/* ]]; then |
| 90 | + IMAGE_TAG="${{ inputs.image-name }}:${GITHUB_REF#refs/tags/}" |
| 91 | + else |
| 92 | + branch=${GITHUB_REF##*/} |
| 93 | + sha=${GITHUB_SHA::8} |
| 94 | + ts=$(date +%s) |
| 95 | + IMAGE_TAG="${{ inputs.image-name }}:${branch}-${sha}-${ts}" |
| 96 | + fi |
| 97 | + IMAGE_TAG=$(echo "$IMAGE_TAG" | tr '[:upper:]' '[:lower:]') |
| 98 | + echo "$IMAGE_TAG" > image-tag.txt |
| 99 | + echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV |
| 100 | + echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT |
| 101 | +
|
| 102 | + - name: Upload image-tag artifact |
| 103 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 |
| 104 | + with: |
| 105 | + name: image-tag${{ inputs.artifact-name-suffix }} |
| 106 | + path: image-tag.txt |
| 107 | + |
| 108 | + - name: Upload image-digest artifact |
| 109 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 |
| 110 | + with: |
| 111 | + name: image-digest${{ inputs.artifact-name-suffix }} |
| 112 | + path: image-digest.txt |
| 113 | + |
| 114 | + - name: Set artifact PURL |
| 115 | + id: set-purl |
| 116 | + run: | |
| 117 | + REGISTRY_AND_IMAGE=${IMAGE_TAG%:*} |
| 118 | + NAME=${REGISTRY_AND_IMAGE##*/} |
| 119 | + PURL="pkg:oci/$NAME?repository_url=$REGISTRY_AND_IMAGE" |
| 120 | + echo "$PURL" > artifact-purl.txt |
| 121 | + SAFE_PURL=$(echo -n "$PURL" | jq -s -R -r @uri) |
| 122 | + echo "$SAFE_PURL" > artifact-purl-safe.txt |
| 123 | + echo "purl=$PURL" >> $GITHUB_OUTPUT |
| 124 | +
|
| 125 | + - name: Upload artifact-purl artifact |
| 126 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 |
| 127 | + with: |
| 128 | + name: artifact-purl${{ inputs.artifact-name-suffix }} |
| 129 | + path: artifact-purl.txt |
| 130 | + |
| 131 | + - name: Upload artifact-purl-safe artifact |
| 132 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 |
| 133 | + with: |
| 134 | + name: artifact-purl-safe${{ inputs.artifact-name-suffix }} |
| 135 | + path: artifact-purl-safe.txt |
| 136 | + |
| 137 | + - name: In-Toto Provenance record stop |
| 138 | + uses: docker://ghcr.io/l3montree-dev/devguard/scanner:v1.0.0 |
| 139 | + with: |
| 140 | + args: devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance |
| 141 | + continue-on-error: true |
| 142 | + |
| 143 | + - name: Upload SLSA Provenance |
| 144 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 |
| 145 | + with: |
| 146 | + name: build${{ inputs.artifact-name-suffix }}.provenance.json |
| 147 | + path: build.provenance.json |
0 commit comments