|
| 1 | +#!/usr/bin/env bash |
| 2 | +set -euo pipefail |
| 3 | + |
| 4 | +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" |
| 5 | +DOCKERFILE="${ROOT_DIR}/Dockerfile" |
| 6 | +WORKFLOW="${ROOT_DIR}/.github/workflows/build-push.yaml" |
| 7 | +SHARED_PUBLISHER_SHA="a86300fb8020d0f7141bb9f833d89b5dbd7aa4d7" |
| 8 | + |
| 9 | +require_text() { |
| 10 | + local value="$1" |
| 11 | + if ! grep -Fq -- "$value" "$WORKFLOW"; then |
| 12 | + printf 'image workflow must contain: %s\n' "$value" >&2 |
| 13 | + return 1 |
| 14 | + fi |
| 15 | +} |
| 16 | + |
| 17 | +forbid_text() { |
| 18 | + local value="$1" |
| 19 | + if grep -Fq -- "$value" "$WORKFLOW"; then |
| 20 | + printf 'image workflow must not contain: %s\n' "$value" >&2 |
| 21 | + return 1 |
| 22 | + fi |
| 23 | +} |
| 24 | + |
| 25 | +require_text "pull_request:" |
| 26 | +require_text "if: github.event_name == 'pull_request'" |
| 27 | +require_text "if: github.ref == 'refs/heads/main'" |
| 28 | +require_text "Build native image without credentials" |
| 29 | +require_text "libops/.github/.github/workflows/build-push.yaml@${SHARED_PUBLISHER_SHA}" |
| 30 | +require_text 'ref: ${{ github.sha }}' |
| 31 | +require_text "expected-main-sha: \${{ github.ref == 'refs/heads/main' && github.sha || '' }}" |
| 32 | +require_text "scan: true" |
| 33 | +require_text "sign: true" |
| 34 | +require_text "certificate-identity: https://github.com/libops/.github/.github/workflows/build-push.yaml@${SHARED_PUBLISHER_SHA}" |
| 35 | +require_text "packages: write" |
| 36 | +require_text "id-token: write" |
| 37 | + |
| 38 | +forbid_text "build-push.yaml@main" |
| 39 | +forbid_text "build-push-ghcr.yaml" |
| 40 | +forbid_text "secrets: inherit" |
| 41 | +forbid_text "docker-registry:" |
| 42 | +forbid_text "additional-gar-registry:" |
| 43 | + |
| 44 | +grep -Fq 'CLOUDSDK_STORAGE_USE_GCLOUD_CRC32C=false' "$DOCKERFILE" |
| 45 | +grep -Fq 'cryptography==48.0.1' "$DOCKERFILE" |
| 46 | +grep -Fq 'rm -f /usr/lib/google-cloud-sdk/bin/gcloud-crc32c' "$DOCKERFILE" |
0 commit comments