fix build and push action

fkie-cad · Jan 13, 2025 · de0d1dc · de0d1dc
1 parent 87210a9
commit de0d1dc
Showing 1 changed file with 61 additions and 62 deletions.
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -69,7 +69,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          driver: remote
+          driver: docker-container
           platforms: linux/amd64
           append: |
             - endpoint: ssh://root@${{ secrets.DOCKER_BUILD_SERVER_01 }}
@@ -86,68 +86,67 @@ jobs:
           build-args: |
             LOGPREP_VERSION=${{ inputs.build-version }}
             PYTHON_VERSION=${{ matrix.python-version }}
-            tags: ${{ steps.image-tag.outputs.tags }}
-            platforms: "linux/arm64,linux/amd64"
           tags: ${{ steps.image-tag.outputs.tags }}
+          platforms: "linux/arm64,linux/amd64"
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      # - name: Extract image ID from sha256
-      #   id: pushed-imageid
-      #   run: |
-      #     python - <<EOF
-      #     import os
-      #     imageid = "${{ steps.build-and-push.outputs.ImageID }}"
-      #     digest = "${{ steps.build-and-push.outputs.Digest }}"
-      #     with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
-      #         file.write(f"digest={digest.split(':')[1]}")
-      #         file.write(f"imageid={imageid.split(':')[1]}")
-      #     EOF
-
-      # - name: Install Cosign
-      #   uses: sigstore/[email protected]
-      #   with:
-      #     cosign-release: "v2.4.1"
-
-      # - name: Create SBOM of container image
-      #   uses: anchore/sbom-action@v0
-      #   with:
-      #     image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.Digest }}
-      #     artifact-name: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
-      #     output-file: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
-
-      # - name: Sign image with a key and add sbom attestation
-      #   run: |
-      #     cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
-      #     cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
-      #   env:
-      #     COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-      #     COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-
-      # # To avoid the trivy-db becoming outdated, we save the cache for one day
-      # - name: Get date
-      #   id: date
-      #   run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
-
-      # - name: Restore trivy cache
-      #   uses: actions/cache@v4
-      #   with:
-      #     path: cache/db
-      #     key: trivy-cache-${{ steps.date.outputs.date }}
-      #     restore-keys: trivy-cache-
-
-      # - name: Scan image using Trivy
-      #   uses: aquasecurity/[email protected]
-      #   env:
-      #     TRIVY_CACHE_DIR: ./cache
-      #     TRIVY_PLATFORM: linux/amd64
-      #   with:
-      #     scan-type: image
-      #     image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
-      #     trivy-config: trivy.yaml
-
-      # # Trivy-db uses `0600` permissions.
-      # # But `action/cache` use `runner` user by default
-      # # So we need to change the permissions before caching the database.
-      # - name: Change permissions for trivy.db
-      #   run: sudo chmod 0644 ./cache/db/trivy.db
+      - name: Extract image ID from sha256
+        id: pushed-imageid
+        run: |
+          python - <<EOF
+          import os
+          imageid = "${{ steps.build-and-push.outputs.ImageID }}"
+          digest = "${{ steps.build-and-push.outputs.Digest }}"
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
+              file.write(f"digest={digest.split(':')[1]}")
+              file.write(f"imageid={imageid.split(':')[1]}")
+          EOF
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: "v2.4.1"
+
+      - name: Create SBOM of container image
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.Digest }}
+          artifact-name: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
+          output-file: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
+
+      - name: Sign image with a key and add sbom attestation
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      # To avoid the trivy-db becoming outdated, we save the cache for one day
+      - name: Get date
+        id: date
+        run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
+
+      - name: Restore trivy cache
+        uses: actions/cache@v4
+        with:
+          path: cache/db
+          key: trivy-cache-${{ steps.date.outputs.date }}
+          restore-keys: trivy-cache-
+
+      - name: Scan image using Trivy
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_CACHE_DIR: ./cache
+          TRIVY_PLATFORM: linux/amd64
+        with:
+          scan-type: image
+          image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          trivy-config: trivy.yaml
+
+      # Trivy-db uses `0600` permissions.
+      # But `action/cache` use `runner` user by default
+      # So we need to change the permissions before caching the database.
+      - name: Change permissions for trivy.db
+        run: sudo chmod 0644 ./cache/db/trivy.db