gh-actions/setup-docker-trust/action.yml

name: "Setup Docker Trust"
description: "Configures Docker Trust"
inputs:
  azure-creds:
    description: 'Credentials for the Azure Subscription that contains the docker trust secrets.  (Deprecated, use AZURE ID inputs instead)'
    required: false
    default: ""
  azure-subscription-id:
    description: 'The Azure Subscription ID that contains the Key Vault with the specified secrets'
    required: false
    default: ""
  azure-tenant-id:
    description: 'The Azure Tenant ID that contains the Key Vault with the specified secrets'
    required: false
    default: ""
  azure-client-id:
    description: 'The Azure Client ID that contains the Key Vault with the specified secrets'
    required: false
    default: ""
  azure-keyvault-name:
    description: 'The name of the Key Vault with the specified secrets'
outputs:
  dct-delegate-repo-passphrase:
    description: 'DCT Delegate Repository Passphrase'
    value: ${{ steps.get-secrets.outputs.dct-delegate-repo-passphrase }}
runs:
  using: "composite"
  steps:
    - name: Check Runner OS
      shell: bash
      run: |
        if ["$RUNNER_OS" != "Linux"]; then
          echo "[!] This workflow only supports Linux runners"
          exit 1
        fi        

    - name: Login to Azure - Prod Subscription
      if: ${{ inputs.azure-creds != '' }}
      uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
      with:
        creds: ${{ inputs.azure-creds }}

    - name: Azure Login
      if: ${{ inputs.azure-client-id != '' }}
      uses: bitwarden/gh-actions/azure-login@main
      with:
        subscription_id: ${{ inputs.azure-subscription-id }}
        tenant_id: ${{ inputs.azure-tenant-id }}
        client_id: ${{ inputs.azure-client-id }}

    - name: Retrieve secrets
      id: get-secrets
      uses: bitwarden/gh-actions/get-keyvault-secrets@main
      with:
        keyvault: "${{ inputs.azure-keyvault-name }}"
        secrets: "docker-password,
          docker-username,
          dct-delegate-repo-passphrase,
          dct-delegate-key"

    - name: Azure Logout
      if: ${{ inputs.azure-client-id != '' }}
      uses: bitwarden/gh-actions/azure-logout@main

    - name: Log into Docker
      shell: bash
      env:
        DOCKER_USERNAME: ${{ steps.get-secrets.outputs.docker-username }}
        DOCKER_PASSWORD: ${{ steps.get-secrets.outputs.docker-password }}
      run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin

    - name: Setup Docker Trust
      shell: bash
      env:
        DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
        DCT_DELEGATE_KEY: ${{ steps.get-secrets.outputs.dct-delegate-key }}
      run: |
        mkdir -p ~/.docker/trust/private
        echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key