Skip to content

Commit 475f5fb

Browse files
committed
sign test
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
1 parent 39aa15e commit 475f5fb

2 files changed

Lines changed: 68 additions & 23 deletions

File tree

.github/workflows/lib-publish.yaml

Lines changed: 50 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,16 @@
11
name: publish
22
on:
3+
workflow_dispatch:
34
workflow_call:
45
inputs:
56
image_tag:
67
default: "devel"
78
required: false
89
type: string
10+
registry:
11+
default: "docker.io/intel"
12+
required: false
13+
type: string
914
env:
1015
no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']"
1116

@@ -20,27 +25,27 @@ jobs:
2025
fail-fast: false
2126
matrix:
2227
image:
23-
- intel-fpga-admissionwebhook
24-
- intel-fpga-initcontainer
25-
- intel-gpu-initcontainer
28+
#- intel-fpga-admissionwebhook
29+
# - intel-fpga-initcontainer
30+
# - intel-gpu-initcontainer
2631
- intel-gpu-plugin
27-
- intel-fpga-plugin
28-
- intel-qat-initcontainer
29-
- intel-qat-plugin
30-
- intel-deviceplugin-operator
31-
- intel-sgx-admissionwebhook
32-
- intel-sgx-plugin
33-
- intel-sgx-initcontainer
34-
- intel-dsa-plugin
35-
- intel-iaa-plugin
36-
- intel-idxd-config-initcontainer
37-
- intel-dlb-plugin
38-
- intel-dlb-initcontainer
39-
- intel-xpumanager-sidecar
32+
# - intel-fpga-plugin
33+
# - intel-qat-initcontainer
34+
# - intel-qat-plugin
35+
# - intel-deviceplugin-operator
36+
# - intel-sgx-admissionwebhook
37+
# - intel-sgx-plugin
38+
# - intel-sgx-initcontainer
39+
# - intel-dsa-plugin
40+
# - intel-iaa-plugin
41+
# - intel-idxd-config-initcontainer
42+
# - intel-dlb-plugin
43+
# - intel-dlb-initcontainer
44+
# - intel-xpumanager-sidecar
4045

4146
# # Demo images
42-
- crypto-perf
43-
- opae-nlb-demo
47+
#- crypto-perf
48+
#- opae-nlb-demo
4449
steps:
4550
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
4651
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
@@ -52,21 +57,43 @@ jobs:
5257
env:
5358
IMAGE_NAME: ${{ matrix.image }}
5459
run: |
55-
REG=intel/ make ${IMAGE_NAME} BUILDER=docker
60+
ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker
61+
- name: List images
62+
run: docker images
5663
- name: Trivy scan for image
5764
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
5865
with:
5966
scan-type: image
60-
image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
67+
image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
6168
exit-code: 1
6269
- name: Test image base layer
6370
# Don't run base layer check for selected images
6471
if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
65-
run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
72+
run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
6673
- name: Login
6774
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
6875
with:
76+
registry: ghcr.io
6977
username: ${{ secrets.DOCKERHUB_USER }}
7078
password: ${{ secrets.DOCKERHUB_PASS }}
71-
- name: Push
72-
run: docker push intel/${{ matrix.image }}:${{ inputs.image_tag }}
79+
- name: Push & Pull
80+
run: |
81+
docker push ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
82+
docker pull ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
83+
- name: Get image digest
84+
if: ${{ inputs.image_tag != 'devel' }}
85+
id: digest
86+
run: |
87+
echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT
88+
- name: Install cosign
89+
if: ${{ inputs.image_tag != 'devel' }}
90+
uses: sigstore/cosign-installer@v3.6.0
91+
- name: Keyless image sign
92+
if: ${{ inputs.image_tag != 'devel' }}
93+
run: |
94+
echo ${{ steps.digest.outputs.image_sha }}
95+
cosign sign --yes ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
96+
#cosign sign --yes ${{ steps.digest.outputs.image_sha }}
97+
#- name: Verify the image signing
98+
# run: |
99+
# cosign verify --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.image_sha }} --certificate-identity "https://github.com/saintmalik/sign-container-images/.github/workflows/keyless.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .

.github/workflows/test.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
name: Test
2+
on:
3+
workflow_dispatch:
4+
push:
5+
6+
permissions:
7+
contents: read
8+
pull-requests: read
9+
id-token: write
10+
11+
jobs:
12+
build:
13+
name: Build & Publish
14+
uses: "./.github/workflows/lib-publish.yaml"
15+
secrets: inherit
16+
with:
17+
image_tag: v9.99.9
18+
registry: ghcr.io/tkatila

0 commit comments

Comments
 (0)