diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index edc52b0..65b0063 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -9,8 +9,8 @@ on: - main env: - REGISTRY: 192.168.1.2:8082 - IMAGE_NAME: my-docker-local/sigs + REGISTRY: evidencetrial.jfrog.io + IMAGE_NAME: misha-docker-docker-local/sigs jobs: build-and-push: @@ -34,8 +34,8 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: admin - password: password + username: ${{ secrets.user }} + password: ${{ secrets.password }} - name: Extract metadata (tags, labels) for Docker id: meta @@ -53,7 +53,7 @@ jobs: uses: docker/build-push-action@v6 with: context: . - push: ${{ github.event_name != 'pull_request' }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} # Enable provenance and SBOM generation @@ -61,8 +61,15 @@ jobs: sbom: true - name: Generate artifact attestation - if: github.event_name != 'pull_request' uses: actions/attest-build-provenance@v2 with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - subject-digest: ${{ steps.build-and-push.outputs.digest }} + subject-name: ${{ env.IMAGE_NAME }}/pr-1/list.manifest.json + subject-digest: sha256:31aee6a749e3a739be317bddcb145a2f9ffec98b8c357410862c9694b6a3df31 + + - name: Create evidence from attestation + run: | + ./create_evidence.sh + + + + diff --git a/Dockerfile b/Dockerfile index 23aebb7..60e0d29 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Use the official lightweight Alpine image as the base -FROM golang:alpine AS builder +FROM evidencetrial.jfrog.io/misha-docker-docker/golang:alpine AS builder # Set the working directory inside the container @@ -18,7 +18,8 @@ COPY src/ ./src/ RUN go build -o main ./src/cmd/main.go # Use a minimal runtime image -FROM alpine:latest +FROM evidencetrial.jfrog.io/misha-docker-docker/alpine:latest + # Set the working directory inside the runtime container WORKDIR /app diff --git a/buildkitd.toml b/buildkitd.toml index c66f4f7..9fb655a 100644 --- a/buildkitd.toml +++ b/buildkitd.toml @@ -1,9 +1,4 @@ insecure-entitlements = ["security.insecure"] -[registry."192.168.50.113:8082"] - http = true -[registry."10.1.27.21:8082"] - http = true - -[registry."10.1.66.83:8082"] - http = true \ No newline at end of file +[registry."evidencetrial.jfrog.io"] + insecure = true diff --git a/create_evidence.sh b/create_evidence.sh new file mode 100755 index 0000000..c48dded --- /dev/null +++ b/create_evidence.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -euo pipefail + +# Folder where the runner temp files are stored +RUNNER_TEMP=${RUNNER_TEMP:-""} + +if [[ -z "$RUNNER_TEMP" ]]; then + echo "::warning RUNNER_TEMP environment variable is not set. Skipping evidence creation." + exit 0 +fi + +ATTESTATION_PATHS_FILE="$RUNNER_TEMP/created_attestation_paths.txt" + +# Check if attestation paths file exists +if [[ ! -f "$ATTESTATION_PATHS_FILE" ]]; then + echo "::info No attestation paths file found. Skipping evidence creation. Searched for: $ATTESTATION_PATHS_FILE." + exit 0 +fi + +echo "::info Reading attestation paths file: $ATTESTATION_PATHS_FILE" + +while IFS= read -r FILE_PATH || [[ -n "$FILE_PATH" ]]; do + # Trim whitespaces + FILE_PATH=$(echo "$FILE_PATH" | xargs) + + if [[ -z "$FILE_PATH" ]]; then + continue + fi + ./jf evd create --sigstore-bundle $FILE_PATH +done < "$ATTESTATION_PATHS_FILE" \ No newline at end of file diff --git a/jf b/jf new file mode 100755 index 0000000..741d98e Binary files /dev/null and b/jf differ