GitHub-Bitwarden
/
self-host
mirror of https://github.com/bitwarden/self-host.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Sign main branch Unified container builds with cosign (#325)

pull/330/head
Matt Bishop 1 year ago committed by GitHub
parent
eb9328fd66
commit
cec826b9e6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 35 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 36
      .github/workflows/build-unified.yml

36
.github/workflows/build-unified.yml
Unescape View File

@ -34,6 +34,9 @@ jobs: @@ -34,6 +34,9 @@ jobs:
build-docker:
name: Build Docker image
runs-on: ubuntu-22.04
permissions:
security-events: write
id-token: write
steps:
- name: Checkout Repository - workflow_call
if: ${{ inputs.is_workflow_call == true }}
@ -145,9 +148,10 @@ jobs: @@ -145,9 +148,10 @@ jobs:
repository: bitwarden/server
token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
ref: ${{ steps.server-branch-name.outputs.server_branch }}
path: 'server'
path: "server"
- name: Build and push Docker image
id: build-docker
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: .
@ -161,6 +165,36 @@ jobs: @@ -161,6 +165,36 @@ jobs:
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Install Cosign
if: inputs.is_workflow_call == true && github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Sign image with Cosign
if: inputs.is_workflow_call == true && github.ref == 'refs/heads/main'
env:
DIGEST: ${{ steps.build-docker.outputs.digest }}
TAGS: ${{ steps.tag-list.outputs.tags }}
run: |
IFS="," read -a tags <<< "${TAGS}"
images=""
for tag in "${tags[@]}"; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Scan Docker image
id: container-scan
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
with:
image: ${{ steps.tag-list.outputs.primary_tag }}
fail-build: false
output-format: sarif
- name: Upload Grype results to GitHub
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: ${{ steps.container-scan.outputs.sarif }}
- name: Log out of Docker and disable Docker Notary
if: ${{ env.is_publish_branch == 'true' }}
run: |

Write Preview
Loading…
Cancel
Save