mirror of
https://github.com/mikefarah/yq.git
synced 2026-07-05 12:10:37 +00:00
Process for SHA-pin github action
This commit is contained in:
parent
0eebc242fb
commit
26434e221e
7
.github/workflows/docker-githubaction.yml
vendored
7
.github/workflows/docker-githubaction.yml
vendored
@ -98,3 +98,10 @@ jobs:
|
|||||||
-t "ghcr.io/${IMAGE_NAME}:4-githubaction" \
|
-t "ghcr.io/${IMAGE_NAME}:4-githubaction" \
|
||||||
-t "ghcr.io/${IMAGE_NAME}:latest-githubaction" \
|
-t "ghcr.io/${IMAGE_NAME}:latest-githubaction" \
|
||||||
.
|
.
|
||||||
|
|
||||||
|
- name: Report action.yml digest to pin
|
||||||
|
run: |
|
||||||
|
GITHUBACTION_DIGEST=$(docker buildx imagetools inspect "${IMAGE_NAME}:4-githubaction" --format '{{printf "%s" .Manifest.Digest}}')
|
||||||
|
echo "Published ${IMAGE_NAME}:4-githubaction at ${GITHUBACTION_DIGEST}"
|
||||||
|
echo "Update action.yml image to:"
|
||||||
|
echo " docker://${IMAGE_NAME}:4-githubaction@${GITHUBACTION_DIGEST}"
|
||||||
|
|||||||
26
.github/workflows/go.yml
vendored
26
.github/workflows/go.yml
vendored
@ -5,6 +5,32 @@ permissions:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|
||||||
|
verify-action-digest:
|
||||||
|
name: Verify action.yml image digest
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||||
|
|
||||||
|
- name: Verify action.yml digest matches published image
|
||||||
|
run: |
|
||||||
|
PINNED_DIGEST=$(grep -oE 'sha256:[a-f0-9]{64}' action.yml | head -1)
|
||||||
|
if [ -z "${PINNED_DIGEST}" ]; then
|
||||||
|
echo "::error::action.yml does not pin the runtime image by digest"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
LATEST_DIGEST=$(docker buildx imagetools inspect docker.io/mikefarah/yq:4-githubaction --format '{{printf "%s" .Manifest.Digest}}')
|
||||||
|
|
||||||
|
echo "action.yml pins: ${PINNED_DIGEST}"
|
||||||
|
echo "mikefarah/yq:4-githubaction: ${LATEST_DIGEST}"
|
||||||
|
|
||||||
|
if [ "${PINNED_DIGEST}" != "${LATEST_DIGEST}" ]; then
|
||||||
|
echo "::error::action.yml digest does not match the current mikefarah/yq:4-githubaction image"
|
||||||
|
echo "Update the image line in action.yml to:"
|
||||||
|
echo " docker://mikefarah/yq:4-githubaction@${LATEST_DIGEST}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
build:
|
build:
|
||||||
name: Build
|
name: Build
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
@ -12,6 +12,6 @@ outputs:
|
|||||||
description: "The complete result from the yq command being run"
|
description: "The complete result from the yq command being run"
|
||||||
runs:
|
runs:
|
||||||
using: 'docker'
|
using: 'docker'
|
||||||
image: 'docker://mikefarah/yq:4-githubaction'
|
image: 'docker://mikefarah/yq:4-githubaction@sha256:e1b8c865f299ea6b02910a7ddf147d5d431244d4cc116f89c2148c9f53822906'
|
||||||
args:
|
args:
|
||||||
- ${{ inputs.cmd }}
|
- ${{ inputs.cmd }}
|
||||||
|
|||||||
@ -14,6 +14,11 @@
|
|||||||
FROM mikefarah/yq:4@<digest-from-above>
|
FROM mikefarah/yq:4@<digest-from-above>
|
||||||
- commit the Dockerfile change, then manually run the "Release Docker GitHub Action" workflow
|
- commit the Dockerfile change, then manually run the "Release Docker GitHub Action" workflow
|
||||||
(Actions -> Release Docker GitHub Action -> Run workflow)
|
(Actions -> Release Docker GitHub Action -> Run workflow)
|
||||||
|
- update action.yml to pin the newly published github-action image digest (must match the mikefarah/yq:4-githubaction manifest digest):
|
||||||
|
docker buildx imagetools inspect docker.io/mikefarah/yq:4-githubaction --format '{{printf "%s" .Manifest.Digest}}'
|
||||||
|
then update the image line in action.yml with the new digest:
|
||||||
|
image: 'docker://mikefarah/yq:4-githubaction@<digest-from-above>'
|
||||||
|
- commit the action.yml change and push
|
||||||
|
|
||||||
// release artifacts are signed with cosign keyless signing (Sigstore)
|
// release artifacts are signed with cosign keyless signing (Sigstore)
|
||||||
// users can verify with:
|
// users can verify with:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user