Save digest in build and use for deploy

3lvia · Jan 22, 2025 · a0c795d · a0c795d
1 parent d03de99
commit a0c795d
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 21 deletions.
diff --git a/build/action.yml b/build/action.yml
@@ -6,7 +6,7 @@ description: |
   you must first add your GitHub repository to [github-repositories-terraform](https://github.com/3lvia/github-repositories-terraform).
 inputs:
   name:
-    description: 'Name of application. This will be used as the image name. For Elvia applications, do not include the namespace.'
+    description: 'Name of application. This will be used for the image name. For Elvia applications, do not include the namespace.'
     required: true
   namespace:
     description: 'Namespace or system of the application. Required for Elvia applications.'
@@ -106,12 +106,14 @@ inputs:
     required: false
 
 outputs:
-  image-name:
+  # Used by ISS deploy to re-tag images.
+  image-name-tag:
     description: 'Name of the Docker image that was built, with tag.'
-    value: ${{ steps.get-outputs.outputs.image-name }}
+    value: ${{ steps.get-outputs.outputs.image-name-tag }}
+  # Optionally used by deploy to use digest instead of tag (more secure).
   image-digest:
-    description: 'Name of the Docker image that was built, with digest.'
-    value: ${{ steps.get-outputs.outputs.image-name }}
+    description: 'Digest of the Docker image that was built. Only digest, no name.'
+    value: ${{ steps.get-outputs.outputs.image--digest }}
 
 runs:
   using: 'composite'
@@ -168,7 +170,7 @@ runs:
     - name: Install 3lv CLI
       uses: 3lvia/cli/setup@trunk
       with:
-        version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+        version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
     - name: Install Cosign if not using Elvia runner
       if: ${{ !startsWith(runner.name, 'elvia-runner-') && inputs.sign-image == 'true' }}
@@ -217,17 +219,19 @@ runs:
       shell: bash
       id: get-outputs
       run: |
-        IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name)
+        IMAGE_NAME_TAG=$(cat /tmp/3lv-cli-output/image-name-tag)
+        IMAGE_DIGEST=$(cat /tmp/3lv-cli-output/image-digest)
 
-        echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
-        echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT"
+        echo "image-name-tag=$IMAGE_NAME_TAG" >> "$GITHUB_OUTPUT"
+        echo "image-digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
+
+        # For cosign only, not exported elsewhere.
+        echo "IMAGE_NAME_DIGEST=${IMAGE_NAME_TAG%%:*}@IMAGE_DIGEST" >> "$GITHUB_ENV"
 
     - name: Sign image with Cosign using GitHub OIDC token
       if: ${{ inputs.sign-image == 'true' }}
       shell: bash
-      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_DIGEST"
-      env:
-        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
+      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_NAME_DIGEST"
 
     - name: Verify image signatue
       if: ${{ inputs.sign-image == 'true' }}
@@ -236,10 +240,9 @@ runs:
         cosign verify \
           --certificate-identity "$CERTIFICATE_IDENTITY" \
           --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
-          "$IMAGE_DIGEST" | jq
+          "$IMAGE_NAME_DIGEST" | jq
       env:
         CERTIFICATE_IDENTITY: 'https://github.com/${{ github.workflow_ref }}'
-        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
 
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}

diff --git a/deploy/action.yml b/deploy/action.yml
@@ -38,16 +38,19 @@ inputs:
     description: 'Kubernetes cloud provider to deploy to: `AKS`, `GKE` or ISS (Elvia only).'
     required: false
     default: 'AKS'
+  image-digest:
+    description: |
+      Use a image digest instead of the default tag. This is more secure than using a tag.
+      You can get this value as an output from the `build`-action.
+    required: false
   override-image-tag:
     description: |
-      Overrides the default image tag of 'github.sha-github.run_number'.
+      Overrides the default image tag of 'github.sha-github.run_number'. Takes precedence over `image-name-digest`.
       **This should not normally be set; only change this if you know what you are doing.**
     required: false
-    default: ''
   slack-channel:
     description: 'Slack channel to notify on failure. Leave empty to disable notifications.'
     required: false
-    default: ''
   AZURE_CLIENT_ID:
     description: 'Client ID of a service principal that has access to AKS. Only required for deploying to AKS.'
     required: false
@@ -130,7 +133,7 @@ runs:
     - name: Install 3lv CLI
       uses: 3lvia/cli/setup@trunk
       with:
-        version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+        version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
     - name: Deploy
       shell: bash
@@ -139,19 +142,21 @@ runs:
           --system-name '${{ inputs.namespace }}' \
           --helm-values-file "$HELM_VALUES_FILE" \
           --environment '${{ inputs.environment }}' \
+          --image-tag "$IMAGE_TAG" \
           --workload-type '${{ inputs.workload-type }}' \
           --runtime-cloud-provider '${{ inputs.runtime-cloud-provider }}' \
-          --image-tag "$IMAGE_TAG" \
           --add-deployment-annotation \
           --grafana-url "$GRAFANA_URL" \
           --grafana-api-key "$GRAFANA_API_KEY" \
           --run-id '${{ github.run_id }}' \
           '${{ inputs.name }}'
       env:
-        HELM_VALUES_FILE: ${{ inputs.helm-values-path == '' && inputs.helm-values-file || inputs.helm-values-path }}
-        IMAGE_TAG: ${{ inputs.override-image-tag == '' && format('{0}-{1}', github.sha, github.run_number) || inputs.override-image-tag }}
+        HELM_VALUES_FILE: ${{ inputs.helm-values-path != '' && inputs.helm-values-path || inputs.helm-values-file }}
+        # Order of precedence: digest if not empty, tag if not empty, finally default to '{sha}-{run_number}'
+        IMAGE_TAG: ${{ inputs.override-image-tag != '' && inputs.override-image-tag || format('{0}-{1}', github.sha, github.run_number) }}
         # Pass optional inputs as environment variables, since they can be empty.
         # The CLI does not accept empty strings passed to the flags, e.g. `--gke-project-id ''` will cause an error.
+        3LV_IMAGE_DIGEST: ${{ inputs.image-digest }}
         3LV_AZURE_TENANT_ID: ${{ inputs.AZURE_TENANT_ID }}
         3LV_AZURE_CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }}
         3LV_AZURE_FEDERATED_TOKEN: ${{ steps.get-federated-token.outputs.token }}