Skip to content
This repository was archived by the owner on Jun 16, 2026. It is now read-only.

Commit bc99d40

Browse files
committed
using nixpkgs instead of setup routine
1 parent 23e054e commit bc99d40

1 file changed

Lines changed: 17 additions & 25 deletions

File tree

.github/workflows/build-nix-image.yml

Lines changed: 17 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -93,21 +93,19 @@ jobs:
9393
fetch-depth: 0 # needed for flake.nix to resolve self.shortRev
9494
persist-credentials: false
9595

96-
- name: In-Toto Provenance record start
97-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:v1.0.0
98-
with:
99-
args: devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }}
100-
continue-on-error: true
101-
10296
- uses: cachix/install-nix-action@v31
10397
with:
10498
extra_nix_config: |
10599
experimental-features = nix-command flakes
106100
${{ inputs.nix-cache-substituter != '' && format('substituters = https://cache.nixos.org {0}', inputs.nix-cache-substituter) || '' }}
107101
${{ inputs.nix-cache-public-key != '' && format('trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= {0}', inputs.nix-cache-public-key) || '' }}
108102
109-
- name: Install crane
110-
run: nix profile install nixpkgs#crane
103+
- name: Install crane and devguard-scanner
104+
run: nix profile install nixpkgs#crane .#devguardScanner
105+
106+
- name: In-Toto Provenance record start
107+
run: devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }}
108+
continue-on-error: true
111109

112110
- name: Write Nix cache secret key
113111
if: ${{ inputs.nix-cache-s3-endpoint != '' }}
@@ -148,20 +146,16 @@ jobs:
148146

149147
- name: Set image tag
150148
id: set-image-tag
151-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
152-
with:
153-
args: >
154-
sh -c "
155-
devguard-scanner generate-tag
156-
--imagePath='${{ inputs.image-name }}'
157-
--ref='${{ github.ref_name }}'
158-
--architecture='${{ inputs.arch }}'
159-
>> image-tag-env.txt
160-
IMAGE_TAG=$(grep '^IMAGE_TAG=' image-tag-env.txt | cut -d= -f2-)
161-
echo \"\$IMAGE_TAG\" > image-tag.txt
162-
echo \"image_tag=\$IMAGE_TAG\" >> \"\$GITHUB_OUTPUT\"
163-
echo \"IMAGE_TAG=\$IMAGE_TAG\" >> \"\$GITHUB_ENV\"
164-
"
149+
run: |
150+
devguard-scanner generate-tag \
151+
--imagePath='${{ inputs.image-name }}' \
152+
--ref='${{ github.ref_name }}' \
153+
--architecture='${{ inputs.arch }}' \
154+
>> image-tag-env.txt
155+
IMAGE_TAG=$(grep '^IMAGE_TAG=' image-tag-env.txt | cut -d= -f2-)
156+
echo "$IMAGE_TAG" > image-tag.txt
157+
echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
158+
echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"
165159
166160
- name: Upload image-tag artifact
167161
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2
@@ -199,9 +193,7 @@ jobs:
199193
path: artifact-purl-safe.txt
200194

201195
- name: In-Toto Provenance record stop
202-
uses: docker://ghcr.io/l3montree-dev/devguard/scanner:v1.0.0
203-
with:
204-
args: devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance
196+
run: devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance
205197
continue-on-error: true
206198

207199
- name: Upload SLSA Provenance

0 commit comments

Comments
 (0)