mirror of
https://github.com/fosrl/newt.git
synced 2026-03-26 20:46:41 +00:00
Update mirror.yaml
This commit is contained in:
Marc Schäfer
92
.github/workflows/mirror.yaml
vendored
92
.github/workflows/mirror.yaml
vendored
@@ -6,17 +6,14 @@ on:
|
|||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
id-token: write
|
id-token: write # for keyless OIDC
|
||||||
|
|
||||||
env:
|
env:
|
||||||
# >>> CHANGE THIS PER REPO <<<
|
|
||||||
SOURCE_IMAGE: docker.io/fosrl/newt
|
SOURCE_IMAGE: docker.io/fosrl/newt
|
||||||
|
|
||||||
# GHCR target under THIS GitHub repo
|
|
||||||
DEST_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
|
DEST_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
mirror-and-sign:
|
mirror-and-dual-sign:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Install skopeo + jq
|
- name: Install skopeo + jq
|
||||||
@@ -26,7 +23,7 @@ jobs:
|
|||||||
skopeo --version
|
skopeo --version
|
||||||
|
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad
|
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
|
||||||
|
|
||||||
- name: Input check
|
- name: Input check
|
||||||
run: |
|
run: |
|
||||||
@@ -34,14 +31,21 @@ jobs:
|
|||||||
echo "Source : ${SOURCE_IMAGE}"
|
echo "Source : ${SOURCE_IMAGE}"
|
||||||
echo "Target : ${DEST_IMAGE}"
|
echo "Target : ${DEST_IMAGE}"
|
||||||
|
|
||||||
- name: Login to GHCR
|
# Auth for skopeo (containers-auth)
|
||||||
|
- name: Skopeo login to GHCR
|
||||||
run: |
|
run: |
|
||||||
skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
|
skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
|
||||||
|
|
||||||
# Optional (private/rate-limited pulls)
|
# >>> IMPORTANT: Auth for cosign (docker-config) <<<
|
||||||
# - name: Login to Docker Hub
|
- name: Docker login to GHCR (for cosign)
|
||||||
# if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
run: |
|
||||||
# run: skopeo login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}"
|
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||||
|
|
||||||
|
# Optional (if Docker Hub private / tight limits)
|
||||||
|
# - name: Login to Docker Hub (skopeo and cosign share this via docker login)
|
||||||
|
# run: |
|
||||||
|
# echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin
|
||||||
|
# skopeo login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}"
|
||||||
|
|
||||||
- name: List source tags
|
- name: List source tags
|
||||||
run: |
|
run: |
|
||||||
@@ -61,16 +65,21 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
echo "Existing destination tags: $(wc -l < dst-tags.txt)"
|
echo "Existing destination tags: $(wc -l < dst-tags.txt)"
|
||||||
|
|
||||||
- name: Mirror & dual-sign (keyless + key)
|
- name: Mirror, dual-sign, and verify
|
||||||
env:
|
env:
|
||||||
# keyless:
|
# keyless
|
||||||
COSIGN_YES: "true" # auto-confirm
|
COSIGN_YES: "true"
|
||||||
# key-based:
|
# key-based
|
||||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||||
|
# verify
|
||||||
|
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
copied=0; skipped=0; signed_keyless=0; signed_key=0; errs=0
|
copied=0; skipped=0; v_ok=0; errs=0
|
||||||
|
|
||||||
|
issuer="https://token.actions.githubusercontent.com"
|
||||||
|
id_regex="^https://github.com/${{ github.repository }}/.+"
|
||||||
|
|
||||||
while read -r tag; do
|
while read -r tag; do
|
||||||
[ -z "$tag" ] && continue
|
[ -z "$tag" ] && continue
|
||||||
@@ -89,47 +98,42 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
copied=$((copied+1))
|
copied=$((copied+1))
|
||||||
|
|
||||||
# digest-based signing (stable ref)
|
|
||||||
digest="$(skopeo inspect --retry-times 3 docker://"${DEST_IMAGE}:${tag}" | jq -r '.Digest')"
|
digest="$(skopeo inspect --retry-times 3 docker://"${DEST_IMAGE}:${tag}" | jq -r '.Digest')"
|
||||||
ref="${DEST_IMAGE}@${digest}"
|
ref="${DEST_IMAGE}@${digest}"
|
||||||
|
|
||||||
echo "==> cosign sign (keyless) --recursive ${ref}"
|
echo "==> cosign sign (keyless) --recursive ${ref}"
|
||||||
if cosign sign --recursive "${ref}"; then
|
if ! cosign sign --recursive "${ref}"; then
|
||||||
signed_keyless=$((signed_keyless+1))
|
|
||||||
else
|
|
||||||
echo "::warning title=Keyless sign failed::${ref}"
|
echo "::warning title=Keyless sign failed::${ref}"
|
||||||
errs=$((errs+1))
|
errs=$((errs+1))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "==> cosign sign (key) --recursive ${ref}"
|
echo "==> cosign sign (key) --recursive ${ref}"
|
||||||
if cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${ref}"; then
|
if ! cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${ref}"; then
|
||||||
signed_key=$((signed_key+1))
|
|
||||||
else
|
|
||||||
echo "::warning title=Key sign failed::${ref}"
|
echo "::warning title=Key sign failed::${ref}"
|
||||||
errs=$((errs+1))
|
errs=$((errs+1))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo "==> cosign verify (public key) ${ref}"
|
||||||
|
if ! cosign verify --key env://COSIGN_PUBLIC_KEY "${ref}" -o text; then
|
||||||
|
echo "::warning title=Verify(pubkey) failed::${ref}"
|
||||||
|
errs=$((errs+1))
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "==> cosign verify (keyless policy) ${ref}"
|
||||||
|
if ! cosign verify \
|
||||||
|
--certificate-oidc-issuer "${issuer}" \
|
||||||
|
--certificate-identity-regexp "${id_regex}" \
|
||||||
|
"${ref}" -o text; then
|
||||||
|
echo "::warning title=Verify(keyless) failed::${ref}"
|
||||||
|
errs=$((errs+1))
|
||||||
|
else
|
||||||
|
v_ok=$((v_ok+1))
|
||||||
|
fi
|
||||||
done < src-tags.txt
|
done < src-tags.txt
|
||||||
|
|
||||||
echo "---- Summary ----"
|
echo "---- Summary ----"
|
||||||
echo "Copied : $copied"
|
echo "Copied : $copied"
|
||||||
echo "Skipped (exists) : $skipped"
|
echo "Skipped : $skipped"
|
||||||
echo "Signed (keyless) : $signed_keyless"
|
echo "Verified OK : $v_ok"
|
||||||
echo "Signed (key) : $signed_key"
|
echo "Errors : $errs"
|
||||||
echo "Errors : $errs"
|
|
||||||
|
|
||||||
# Optional: immediate verify using your public key (one sample tag if present)
|
|
||||||
- name: Optional verify (public key) for the newest mirrored tag
|
|
||||||
if: always()
|
|
||||||
env:
|
|
||||||
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
|
||||||
run: |
|
|
||||||
set -euo pipefail
|
|
||||||
last_tag="$(tail -n 1 src-tags.txt || true)"
|
|
||||||
if [ -n "$last_tag" ] && grep -Fxq "$last_tag" dst-tags.txt; then
|
|
||||||
digest="$(skopeo inspect docker://"${DEST_IMAGE}:${last_tag}" | jq -r '.Digest')"
|
|
||||||
ref="${DEST_IMAGE}@${digest}"
|
|
||||||
echo "Verifying ${ref} with COSIGN_PUBLIC_KEY..."
|
|
||||||
cosign verify --key env://COSIGN_PUBLIC_KEY "${ref}" -o text || true
|
|
||||||
else
|
|
||||||
echo "No mirrored tag to verify in this run."
|
|
||||||
fi
|
|
||||||
|
|||||||
Reference in New Issue
Block a user