The images we publish here:
|
# Use the ko binary to build the crane and gcrane builder images. |
|
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME" |
|
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME" |
|
|
|
# Use the ko binary to build the crane and gcrane builder *debug* images. |
|
export KO_CONFIG_PATH=./.ko/debug/ |
|
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane -t "debug" |
|
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t "debug" |
|
|
|
# Tag-specific debug images are pushed to gcr.io/go-containerregistry/{g}crane/debug:... |
|
KO_DOCKER_REPO=gcr.io/$PROJECT_ID/crane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/crane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME" |
|
KO_DOCKER_REPO=gcr.io/$PROJECT_ID/gcrane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME" |
... should all be signed with cosign, ideally using the "keyless" flow.
For GCB-based keyless signing we can copy what distroless does here: https://github.com/GoogleContainerTools/distroless/blob/3ecf55603e31c8c01b4da2da8dc34a41757b778c/cloudbuild.yaml#L81-L82
... essentially the GCB SA is used to impersonate [email protected] for the identity challenge. Some IAM needs to be configured, and then things just work 😉
I believe @jonjohnsonjr has to do this given the requirement that we futz with the GCP stuff, but @dlorenc or I would be happy to help navigate this.
