This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
Add note about archiving (#24) #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate SecureSign Ansible | |
on: | |
workflow_dispatch: | |
push: | |
branches: ["main", "release*"] | |
tags: ["*"] | |
pull_request: | |
branches: ["main", "release*"] | |
env: | |
GO_VERSION: 1.21 | |
AWS_REGION: us-east-2 | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
BASE_HOSTNAME: ${{ secrets.BASE_DOMAIN }} | |
FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }} | |
TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }} | |
KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }} | |
KEYCLOAK_REALM: trusted-artifact-signer | |
KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/trusted-artifact-signer | |
REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }} | |
TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }} | |
TF_VAR_vpc_id: ${{ secrets.VPC_ID }} | |
TF_VAR_rh_username: ${{ secrets.RH_USERNAME }} | |
TF_VAR_rh_password: ${{ secrets.RH_PASSWORD }} | |
IMAGE: ttl.sh/sigstore-test:15m | |
jobs: | |
deploy-and-test: | |
name: Deploy using terraform then tag, push, sign and verify | |
runs-on: ubuntu-latest | |
steps: | |
- uses: hashicorp/setup-terraform@v3 | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: sshkeygen for ansible | |
run: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" | |
- name: docker login registry.redhat.io | |
run: echo ${{ secrets.RH_PASSWORD }} | docker login -u ${{ secrets.RH_USERNAME }} --password-stdin registry.redhat.io | |
- name: build push sign and tag | |
run: | | |
buildah pull alpine:latest | |
buildah tag alpine:latest ${{ env.IMAGE }} | |
buildah push ${{ env.IMAGE }} | |
- name: Terraform Init | |
run: terraform init | |
- name: Terraform Apply | |
run: terraform apply -auto-approve | |
- name: install cosign | |
uses: sigstore/cosign-installer@v3.3.0 | |
with: | |
cosign-release: 'v2.2.2' # optional | |
- name: Grab the certificate and trust it | |
run: export ESCAPED_URL=sigstore_octo-emerging_redhataicoe_com && rm -rf ./*.pem && openssl s_client -showcerts -verify 5 -connect rekor.$BASE_HOSTNAME:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' && for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}" ; done && sudo mv $ESCAPED_URL.pem /etc/ssl/certs/ && sudo update-ca-certificates && cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json | |
- name: sign and verify | |
run: | | |
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=trusted-artifact-signer" https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/') | |
cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN --oidc-client-id=${{ secrets.KEYCLOAK_REALM }} ${{ env.IMAGE }} | |
cosign verify --rekor-url=${{ env.REKOR_URL}} --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ${{ env.IMAGE }} | |
- name: Terraform Destroy | |
if: always() | |
run: terraform destroy -auto-approve |