Skip to content

Commit

Permalink
Make possible to provide image as a secret
Browse files Browse the repository at this point in the history
Add option to provide image as a secret for private registries.

Signed-off-by: Danil Grigorev <[email protected]>
  • Loading branch information
Danil-Grigorev committed Oct 26, 2023
1 parent 10ddc67 commit f3d1b2a
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ on:
description: "Username to log into the container registry."
registry-password:
description: "Password to log in the container registry."
image:
description: "The OCI image name. This must not include a tag or digest."
inputs:
image:
description: "The OCI image name. This must not include a tag or digest."
Expand Down Expand Up @@ -157,6 +159,7 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
Expand All @@ -170,7 +173,7 @@ jobs:
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_registry="docker.io"
# NOTE: Do not fail the script if grep does not match.
maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
maybe_domain=$(echo "${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "${maybe_domain}" != "" ]; then
untrusted_registry="${maybe_domain}"
fi
Expand Down Expand Up @@ -199,6 +202,7 @@ jobs:
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.image }}"
UNTRUSTED_SECRET_IMAGE: "${{ secrets.image }}"
UNTRUSTED_DIGEST: "${{ inputs.digest }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
run: |
Expand All @@ -211,7 +215,7 @@ jobs:
COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--yes \
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
"${UNTRUSTED_SECRET_IMAGE:-${UNTRUSTED_IMAGE}}@${UNTRUSTED_DIGEST}"
- name: Final outcome
id: final
Expand Down

0 comments on commit f3d1b2a

Please sign in to comment.