SecAI_OS/.github/workflows/build.yml at main · SecAI-Hub/SecAI_OS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: bluebuild
on:
  schedule:
    - cron:
        "00 06 * * *"
  push:
    branches: [main]
    paths-ignore:
      - "**.md"
  pull_request:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

jobs:
  bluebuild:
    name: Build Custom Image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        recipe:
          - recipe.yml
    steps:
      - name: Build Custom Image
        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1.11.1
        with:
          recipe: ${{ matrix.recipe }}
          cosign_private_key: ${{ secrets.SIGNING_SECRET }}
          registry_token: ${{ github.token }}
          pr_event_number: ${{ github.event.number }}
          maximize_build_space: true

      - name: Set lowercase image ref
        if: github.event_name != 'pull_request'
        run: echo "IMAGE_REF=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_ENV"

      # Scan the source tree rather than the full OS image.
      # The OS image is a multi-GB Fedora Silverblue base with thousands of
      # system packages — scanning it via `syft scan <image>` exceeds the
      # runner's memory/time limits. Fedora provides its own SBOMs for base
      # packages. This SBOM covers our custom services and configuration.
      - name: Generate SBOM
        if: github.event_name != 'pull_request'
        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
        with:
          path: .
          format: cyclonedx-json
          output-file: sbom.cdx.json

      - name: Attest SBOM
        if: github.event_name != 'pull_request'
        run: |
          cosign attest --type cyclonedx \
            --predicate sbom.cdx.json \
            --key env://COSIGN_PRIVATE_KEY \
            "$IMAGE_REF"
        env:
          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

      # Publish the image digest so users can pin installs to an exact build.
      # The digest appears in the workflow summary and as an artifact.
      - name: Extract and publish image digest
        if: github.event_name != 'pull_request'
        id: digest
        run: |
          DIGEST=$(skopeo inspect "docker://${IMAGE_REF}:latest" 2>/dev/null | jq -r '.Digest' || echo "")
          if [ -z "$DIGEST" ] || [ "$DIGEST" = "null" ]; then
            echo "WARNING: Could not extract image digest"
            echo "digest=unknown" >> "$GITHUB_OUTPUT"
          else
            echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
            echo "${DIGEST}" > IMAGE_DIGEST
            echo "## Image Digest" >> "$GITHUB_STEP_SUMMARY"
            echo "" >> "$GITHUB_STEP_SUMMARY"
            echo "Pinned install reference:" >> "$GITHUB_STEP_SUMMARY"
            echo '```' >> "$GITHUB_STEP_SUMMARY"
            echo "sudo bash secai-bootstrap.sh --digest ${DIGEST}" >> "$GITHUB_STEP_SUMMARY"
            echo '```' >> "$GITHUB_STEP_SUMMARY"
            echo "" >> "$GITHUB_STEP_SUMMARY"
            echo "Full image ref: \`${IMAGE_REF}@${DIGEST}\`" >> "$GITHUB_STEP_SUMMARY"
          fi