diff --git a/.github/workflows/dev_build_precache.yml b/.github/workflows/dev_build_precache.yml index 6406ddbd5e..ee6f3df83a 100644 --- a/.github/workflows/dev_build_precache.yml +++ b/.github/workflows/dev_build_precache.yml @@ -66,7 +66,7 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 env: WERF_EXPERIMENTAL_IMPORT_BY_SOURCE_IMAGE_TAG: "true" with: @@ -75,6 +75,8 @@ jobs: module_tag: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO}} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - name: Cleanup Docker config run: | diff --git a/.github/workflows/dev_build_svace.yml b/.github/workflows/dev_build_svace.yml index c31fef6c1a..5e0a4da61a 100644 --- a/.github/workflows/dev_build_svace.yml +++ b/.github/workflows/dev_build_svace.yml @@ -111,11 +111,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: "true" diff --git a/.github/workflows/dev_module_build-and-registration.yml b/.github/workflows/dev_module_build-and-registration.yml index b251cedb82..28844b02b3 100644 --- a/.github/workflows/dev_module_build-and-registration.yml +++ b/.github/workflows/dev_module_build-and-registration.yml @@ -112,7 +112,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ github.event.inputs.enableBuild == 'true' }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} @@ -120,6 +120,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - name: Cleanup Docker config run: | diff --git a/.github/workflows/dev_module_build.yml b/.github/workflows/dev_module_build.yml index 93088ddcc7..f3ee59e7c9 100644 --- a/.github/workflows/dev_module_build.yml +++ b/.github/workflows/dev_module_build.yml @@ -418,11 +418,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: ${{ inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }} diff --git a/.github/workflows/e2e-test-releases.yml b/.github/workflows/e2e-test-releases.yml index 8404c029a7..e4ec3ff351 100644 --- a/.github/workflows/e2e-test-releases.yml +++ b/.github/workflows/e2e-test-releases.yml @@ -196,11 +196,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ matrix.module_tag }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{ secrets.SOURCE_REPO_GIT }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} diff --git a/.github/workflows/release_module_build-and-registration.yml b/.github/workflows/release_module_build-and-registration.yml index 8a2937c51f..4478ebdcdc 100644 --- a/.github/workflows/release_module_build-and-registration.yml +++ b/.github/workflows/release_module_build-and-registration.yml @@ -81,11 +81,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -134,11 +136,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -188,11 +192,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -242,11 +248,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" diff --git a/.github/workflows/release_module_release-channels.yml b/.github/workflows/release_module_release-channels.yml index f91ee80dea..02c9528a1d 100644 --- a/.github/workflows/release_module_release-channels.yml +++ b/.github/workflows/release_module_release-channels.yml @@ -205,7 +205,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -213,6 +213,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: @@ -271,7 +273,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -279,6 +281,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: @@ -330,7 +334,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -338,6 +342,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: @@ -393,7 +399,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -401,6 +407,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2ad3e5a2df..1662e35a1f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -128,6 +128,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_DEV_REGISTRY_PASSWORD} MODULES_REGISTRY: dev-registry.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/sys/deckhouse-oss/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: DEV # PROD registry @@ -137,6 +139,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_PROD_REGISTRY_PASSWORD} MODULES_REGISTRY: registry-write.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/deckhouse/${EDITION}/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: PROD # Templates ============================================================================================================ diff --git a/.werf/defines/vex.tmpl b/.werf/defines/vex.tmpl new file mode 100644 index 0000000000..f1571f99eb --- /dev/null +++ b/.werf/defines/vex.tmpl @@ -0,0 +1,143 @@ +# put image with vex mitigations to registry. +# Mitigations can be found in the known_vulnerabilities.vex file in the image directory +# input parameters: +# list of $ and image name. +# list ($ "common/kubernetes") +{{- define "vex mitigation" }} + {{- $context := index . 0 }} + {{- $imageName := index . 1 }} + {{- $knownVulnPath := "" }} + {{- $isVault := false }} + {{- if eq $imageName "dev" }} + {{- $knownVulnPath = "/deckhouse-controller/known_vulnerabilities.vex" }} + {{- else if eq $imageName "dev/install" }} + {{- $knownVulnPath = "/dhctl/known_vulnerabilities.vex" }} + {{- else if eq $imageName "bundle" }} + {{- $knownVulnPath = "/known_vulnerabilities.vex" }} + {{- else if hasKey $context "ModulePriority" }} + {{- $knownVulnPath = (printf "/%smodules/%s-%s/images/%s/known_vulnerabilities.vex" $context.ModulePath $context.ModulePriority $context.ModuleName $context.ImageName) }} + {{- else }} + {{- $knownVulnPath = (printf "/images/%s/known_vulnerabilities.vex" $context.ImageName) }} + {{- end }} + {{- $vexFile := false }} + {{- if eq (len ($context.Files.Glob $knownVulnPath)) 1 }} + {{- $vexFile = true }} + {{- end }} + {{- $werfSignKey := env "WERF_SIGN_KEY" "" }} + {{- $vaultKey := env "VAULT_KEY" "" }} + {{- $actionsIdToken := env "ACTIONS_ID_TOKEN_REQUEST_TOKEN" "" }} + {{- if or (ne $werfSignKey "") (ne $vaultKey "") (ne $actionsIdToken "") }} + {{- $isVault = true }} + {{- end }} + {{- if $vexFile }} +--- +image: {{ $imageName }}-vex-artifact +fromImage: base/vex +final: true +secrets: +- id: REGISTRY_USER + env: REGISTRY_USER +- id: REGISTRY_PASSWORD + env: REGISTRY_PASSWORD +{{- if eq $isVault true }} +{{- if ne $werfSignKey "" }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: WERF_SIGN_KEY +- id: VAULT_ROLE + env: WERF_VAULT_AUTH_ROLE +- id: VAULT_JWT + env: WERF_VAULT_AUTH_JWT +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- else }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: VAULT_KEY +- id: VAULT_ROLE + env: VAULT_ROLE +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- if eq $actionsIdToken "" }} +- id: VAULT_JWT + env: VAULT_ID_TOKEN +{{- end }} +{{- end }} +{{- if ne $actionsIdToken "" }} +- id: ACTIONS_ID_TOKEN_REQUEST_TOKEN + env: ACTIONS_ID_TOKEN_REQUEST_TOKEN +- id: ACTIONS_ID_TOKEN_REQUEST_URL + env: ACTIONS_ID_TOKEN_REQUEST_URL +{{- end }} +{{- end }} +git: +- add: {{ $knownVulnPath }} + to: /known_vulnerabilities.vex + stageDependencies: + install: + - "**/*" +dependencies: +- image: {{ $imageName }} + before: install + imports: + - type: ImageDigest + targetEnv: IMAGE_DIGEST + - type: ImageRepo + targetEnv: IMAGE_REPO +shell: + install: + - export REGISTRY_USER="$(cat /run/secrets/REGISTRY_USER)" + - export REGISTRY_PASSWORD="$(cat /run/secrets/REGISTRY_PASSWORD)" +{{- if $isVault }} + - export VAULT_ADDR="$(cat /run/secrets/VAULT_ADDR)" + - export VAULT_ROLE="$(cat /run/secrets/VAULT_ROLE)" + - export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/TRANSIT_SECRET_ENGINE_PATH)" + - VAULT_KEY=$(cat /run/secrets/VAULT_KEY) + - export VAULT_KEY="hashivault://${VAULT_KEY#hashivault://}" +{{- if ne $actionsIdToken "" }} + - export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)" + - export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)" + - export VAULT_AUTH_PATH="github" + - > + export VAULT_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) + - > + if [ -n "${VAULT_JWT}" ]; then + echo "Received Actions token"; + else + echo "Actions token empty"; + fi +{{- else }} + - export VAULT_AUTH_PATH="fox" + - export VAULT_JWT="$(cat /run/secrets/VAULT_JWT)" +{{- end }} + - > + export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${VAULT_AUTH_PATH}/login" -d '{"role":"'${VAULT_ROLE}'","jwt":"'${VAULT_JWT}'"}' | jq -r '.auth.client_token')" + - > + if [ -n "${VAULT_TOKEN}" ]; then + echo "Received Vault token"; + else + echo "Vault token empty"; + fi + - echo "Using predicate known_vulnerabilities.vex" +{{- else }} + - | + echo -e "\033[33mWARNING!!! Cosign will sign attestation with self-generated key pair!\033[0m" + export COSIGN_PASSWORD="" + cosign generate-key-pair + export VAULT_KEY="cosign.key" +{{- end }} + - | + cosign attest \ + --replace \ + --registry-username="${REGISTRY_USER}" \ + --registry-password="${REGISTRY_PASSWORD}" \ + --predicate /known_vulnerabilities.vex \ + --type openvex \ + --key ${VAULT_KEY} \ + --tlog-upload=false \ + -y -d \ + "${IMAGE_REPO}@${IMAGE_DIGEST}" + {{- end }} +{{- end }} diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index ee82bc554f..8f9e954dd2 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -1,7 +1,7 @@ giterminismConfigVersion: 1 config: goTemplateRendering: # The rules for the Go-template functions - allowEnvVariables: + allowEnvVariables: - /CI_.+/ - GOPROXY - MODULES_MODULE_TAG @@ -13,6 +13,9 @@ config: - SVACE_ANALYZE_HOST - SVACE_ANALYZE_SSH_USER - DEBUG_COMPONENT + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - VAULT_KEY + - WERF_SIGN_KEY stapel: mount: allowBuildDir: true @@ -24,6 +27,16 @@ config: - DECKHOUSE_PRIVATE_REPO - GOPROXY - DISTRO_PACKAGES_PROXY + allowEnvVariables: + - REGISTRY_USER + - REGISTRY_PASSWORD + - VAULT_ADDR + - WERF_SIGN_KEY + - WERF_VAULT_AUTH_ROLE + - WERF_VAULT_AUTH_JWT + - TRANSIT_SECRET_ENGINE_PATH + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - ACTIONS_ID_TOKEN_REQUEST_URL helm: allowUncommittedFiles: - "Chart.lock" diff --git a/werf.yaml b/werf.yaml index 69521a1dc4..02174aa99b 100644 --- a/werf.yaml +++ b/werf.yaml @@ -12,6 +12,35 @@ build: # Base Images {{- include "parse_base_images_map" . }} --- +# Base image for VEX attestations (cosign attest --type openvex). +# Consumed by the "vex mitigation" template in .werf/defines/vex.tmpl. +# Defined here (not in .werf/*.yaml) so its tools/* imports are discovered +# by parse_base_images_map, which scans only werf.yaml and images/*/werf.inc.yaml. +image: base/vex +fromImage: tools/coreutils +final: false +import: +- image: builder/alpine + add: /etc/ssl/certs/ca-certificates.crt + to: /etc/ssl/certs/ca-certificates.crt + before: install +- image: tools/cosign + add: /usr/bin/cosign + to: /usr/bin/cosign + before: install +- image: tools/jq + add: /usr/bin/jq + to: /usr/bin/jq + before: install +- image: tools/curl + add: /usr/bin/curl-static + to: /usr/bin/curl + before: install +- image: tools/bash + add: /usr/bin/bash + to: /bin/bash + before: install +--- # Source repo settings {{- $_ := set . "SOURCE_REPO" (env "SOURCE_REPO" "https://github.com") }} @@ -31,6 +60,7 @@ build: {{- $_ := set . "ImagesIDList" list }} + {{- range $path, $content := .Files.Glob ".werf/*.yaml" }} {{- tpl $content $ }} {{- end }} @@ -40,13 +70,16 @@ image: images-digests fromImage: builder/alpine dependencies: {{- range $ImageID := $.ImagesIDList }} + {{- $ImageName := $ImageID | splitList "/" | last }} {{- $ImageNameCamel := $ImageID | splitList "/" | last | camelcase | untitle }} + {{- if eq $ImageName (trimSuffix "-vex-artifact" $ImageName) }} - image: {{ $ImageID }} before: setup imports: - type: ImageDigest targetEnv: MODULE_IMAGE_DIGEST_{{ $ImageNameCamel }} {{- end }} + {{- end }} import: - from: tools/jq add: /usr/bin/jq