diff --git a/build/action.yml b/build/action.yml index ed502e2..58e3223 100644 --- a/build/action.yml +++ b/build/action.yml @@ -6,7 +6,7 @@ description: | you must first add your GitHub repository to [github-repositories-terraform](https://github.com/3lvia/github-repositories-terraform). inputs: name: - description: 'Name of application. This will be used as the image name. For Elvia applications, do not include the namespace.' + description: 'Name of application. This will be used for the image name. For Elvia applications, do not include the namespace.' required: true namespace: description: 'Namespace or system of the application. Required for Elvia applications.' @@ -106,12 +106,14 @@ inputs: required: false outputs: - image-name: + # Used by ISS deploy to re-tag images. + image-name-tag: description: 'Name of the Docker image that was built, with tag.' - value: ${{ steps.get-outputs.outputs.image-name }} + value: ${{ steps.get-outputs.outputs.image-name-tag }} + # Optionally used by deploy to use digest instead of tag (more secure). image-digest: - description: 'Name of the Docker image that was built, with digest.' - value: ${{ steps.get-outputs.outputs.image-name }} + description: 'Digest of the Docker image that was built. Only digest, no name.' + value: ${{ steps.get-outputs.outputs.image--digest }} runs: using: 'composite' @@ -168,7 +170,7 @@ runs: - name: Install 3lv CLI uses: 3lvia/cli/setup@trunk with: - version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable + version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable - name: Install Cosign if not using Elvia runner if: ${{ !startsWith(runner.name, 'elvia-runner-') && inputs.sign-image == 'true' }} @@ -217,17 +219,19 @@ runs: shell: bash id: get-outputs run: | - IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name) + IMAGE_NAME_TAG=$(cat /tmp/3lv-cli-output/image-name-tag) + IMAGE_DIGEST=$(cat /tmp/3lv-cli-output/image-digest) - echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT" - echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT" + echo "image-name-tag=$IMAGE_NAME_TAG" >> "$GITHUB_OUTPUT" + echo "image-digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT" + + # For cosign only, not exported elsewhere. + echo "IMAGE_NAME_DIGEST=${IMAGE_NAME_TAG%%:*}@IMAGE_DIGEST" >> "$GITHUB_ENV" - name: Sign image with Cosign using GitHub OIDC token if: ${{ inputs.sign-image == 'true' }} shell: bash - run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_DIGEST" - env: - IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }} + run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_NAME_DIGEST" - name: Verify image signatue if: ${{ inputs.sign-image == 'true' }} @@ -236,10 +240,9 @@ runs: cosign verify \ --certificate-identity "$CERTIFICATE_IDENTITY" \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ - "$IMAGE_DIGEST" | jq + "$IMAGE_NAME_DIGEST" | jq env: CERTIFICATE_IDENTITY: 'https://github.com/${{ github.workflow_ref }}' - IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }} - name: Upload Trivy scan results to GitHub Advanced Security if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }} diff --git a/deploy/action.yml b/deploy/action.yml index b73d5ca..2e109b2 100644 --- a/deploy/action.yml +++ b/deploy/action.yml @@ -38,16 +38,19 @@ inputs: description: 'Kubernetes cloud provider to deploy to: `AKS`, `GKE` or ISS (Elvia only).' required: false default: 'AKS' + image-digest: + description: | + Use a image digest instead of the default tag. This is more secure than using a tag. + You can get this value as an output from the `build`-action. + required: false override-image-tag: description: | - Overrides the default image tag of 'github.sha-github.run_number'. + Overrides the default image tag of 'github.sha-github.run_number'. Takes precedence over `image-name-digest`. **This should not normally be set; only change this if you know what you are doing.** required: false - default: '' slack-channel: description: 'Slack channel to notify on failure. Leave empty to disable notifications.' required: false - default: '' AZURE_CLIENT_ID: description: 'Client ID of a service principal that has access to AKS. Only required for deploying to AKS.' required: false @@ -130,7 +133,7 @@ runs: - name: Install 3lv CLI uses: 3lvia/cli/setup@trunk with: - version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable + version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable - name: Deploy shell: bash @@ -139,19 +142,21 @@ runs: --system-name '${{ inputs.namespace }}' \ --helm-values-file "$HELM_VALUES_FILE" \ --environment '${{ inputs.environment }}' \ + --image-tag "$IMAGE_TAG" \ --workload-type '${{ inputs.workload-type }}' \ --runtime-cloud-provider '${{ inputs.runtime-cloud-provider }}' \ - --image-tag "$IMAGE_TAG" \ --add-deployment-annotation \ --grafana-url "$GRAFANA_URL" \ --grafana-api-key "$GRAFANA_API_KEY" \ --run-id '${{ github.run_id }}' \ '${{ inputs.name }}' env: - HELM_VALUES_FILE: ${{ inputs.helm-values-path == '' && inputs.helm-values-file || inputs.helm-values-path }} - IMAGE_TAG: ${{ inputs.override-image-tag == '' && format('{0}-{1}', github.sha, github.run_number) || inputs.override-image-tag }} + HELM_VALUES_FILE: ${{ inputs.helm-values-path != '' && inputs.helm-values-path || inputs.helm-values-file }} + # Order of precedence: digest if not empty, tag if not empty, finally default to '{sha}-{run_number}' + IMAGE_TAG: ${{ inputs.override-image-tag != '' && inputs.override-image-tag || format('{0}-{1}', github.sha, github.run_number) }} # Pass optional inputs as environment variables, since they can be empty. # The CLI does not accept empty strings passed to the flags, e.g. `--gke-project-id ''` will cause an error. + 3LV_IMAGE_DIGEST: ${{ inputs.image-digest }} 3LV_AZURE_TENANT_ID: ${{ inputs.AZURE_TENANT_ID }} 3LV_AZURE_CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }} 3LV_AZURE_FEDERATED_TOKEN: ${{ steps.get-federated-token.outputs.token }}