diff --git a/.github/workflows/docker-githubaction.yml b/.github/workflows/docker-githubaction.yml index 3bd2a310..4d923820 100644 --- a/.github/workflows/docker-githubaction.yml +++ b/.github/workflows/docker-githubaction.yml @@ -98,3 +98,10 @@ jobs: -t "ghcr.io/${IMAGE_NAME}:4-githubaction" \ -t "ghcr.io/${IMAGE_NAME}:latest-githubaction" \ . + + - name: Report action.yml digest to pin + run: | + GITHUBACTION_DIGEST=$(docker buildx imagetools inspect "${IMAGE_NAME}:4-githubaction" --format '{{printf "%s" .Manifest.Digest}}') + echo "Published ${IMAGE_NAME}:4-githubaction at ${GITHUBACTION_DIGEST}" + echo "Update action.yml image to:" + echo " docker://${IMAGE_NAME}:4-githubaction@${GITHUBACTION_DIGEST}" diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 890a0211..025953db 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -5,6 +5,32 @@ permissions: jobs: + verify-action-digest: + name: Verify action.yml image digest + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Verify action.yml digest matches published image + run: | + PINNED_DIGEST=$(grep -oE 'sha256:[a-f0-9]{64}' action.yml | head -1) + if [ -z "${PINNED_DIGEST}" ]; then + echo "::error::action.yml does not pin the runtime image by digest" + exit 1 + fi + + LATEST_DIGEST=$(docker buildx imagetools inspect docker.io/mikefarah/yq:4-githubaction --format '{{printf "%s" .Manifest.Digest}}') + + echo "action.yml pins: ${PINNED_DIGEST}" + echo "mikefarah/yq:4-githubaction: ${LATEST_DIGEST}" + + if [ "${PINNED_DIGEST}" != "${LATEST_DIGEST}" ]; then + echo "::error::action.yml digest does not match the current mikefarah/yq:4-githubaction image" + echo "Update the image line in action.yml to:" + echo " docker://mikefarah/yq:4-githubaction@${LATEST_DIGEST}" + exit 1 + fi + build: name: Build runs-on: ubuntu-latest diff --git a/action.yml b/action.yml index 3ff32f57..2bd0de70 100644 --- a/action.yml +++ b/action.yml @@ -12,6 +12,6 @@ outputs: description: "The complete result from the yq command being run" runs: using: 'docker' - image: 'docker://mikefarah/yq:4-githubaction' + image: 'docker://mikefarah/yq:4-githubaction@sha256:e1b8c865f299ea6b02910a7ddf147d5d431244d4cc116f89c2148c9f53822906' args: - ${{ inputs.cmd }} diff --git a/release_instructions.txt b/release_instructions.txt index 9cb00b6c..c220ae28 100644 --- a/release_instructions.txt +++ b/release_instructions.txt @@ -14,6 +14,11 @@ FROM mikefarah/yq:4@ - commit the Dockerfile change, then manually run the "Release Docker GitHub Action" workflow (Actions -> Release Docker GitHub Action -> Run workflow) +- update action.yml to pin the newly published github-action image digest (must match the mikefarah/yq:4-githubaction manifest digest): + docker buildx imagetools inspect docker.io/mikefarah/yq:4-githubaction --format '{{printf "%s" .Manifest.Digest}}' + then update the image line in action.yml with the new digest: + image: 'docker://mikefarah/yq:4-githubaction@' +- commit the action.yml change and push // release artifacts are signed with cosign keyless signing (Sigstore) // users can verify with: