feat(cd): add cosign image signing and SBOM generation
This commit is contained in:
senke
parent
afea976f57
commit
c681b97e1f
1 changed files with 28 additions and 0 deletions
28
.github/workflows/cd.yml
vendored
28
.github/workflows/cd.yml
vendored
|
|
@ -79,6 +79,18 @@ jobs:
|
|||
exit-code: '1'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Generate SBOM
|
||||
run: |
|
||||
mkdir -p sbom
|
||||
for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
|
||||
trivy image --format cyclonedx --output "sbom/${svc}-${{ github.sha }}.json" "${svc}:${{ github.sha }}"
|
||||
done
|
||||
- name: Upload SBOM artifacts
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: sbom
|
||||
path: sbom/
|
||||
|
||||
- name: Push Images to Registry
|
||||
if: ${{ secrets.DOCKER_REGISTRY != '' }}
|
||||
run: |
|
||||
|
|
@ -90,6 +102,22 @@ jobs:
|
|||
docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
|
||||
done
|
||||
|
||||
- name: Install cosign
|
||||
if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
|
||||
uses: sigstore/cosign-installer@v3
|
||||
with:
|
||||
cosign-release: 'v2.2.0'
|
||||
- name: Sign images with cosign
|
||||
if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
|
||||
env:
|
||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||
run: |
|
||||
echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
|
||||
for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
|
||||
cosign sign --key cosign.key --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
|
||||
cosign sign --key cosign.key --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
|
||||
done
|
||||
|
||||
- name: Deploy to Kubernetes
|
||||
if: ${{ secrets.KUBE_CONFIG != '' }}
|
||||
run: |
|
||||
|
|
|
|||
Loading…
Reference in a new issue