41 lines
1.4 KiB
YAML
41 lines
1.4 KiB
YAML
# Copyright 2022 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# https://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
steps:
|
|
- id: 'Build image and push it to artifact registry'
|
|
name: 'gcr.io/kaniko-project/executor:latest'
|
|
args:
|
|
- '--destination=${_IMAGE}:${COMMIT_SHA}'
|
|
- '--cache=true'
|
|
- '--cache-ttl=6h'
|
|
- id: 'Create and sign attestation'
|
|
name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:latest'
|
|
entrypoint: 'bash'
|
|
args:
|
|
- '-eEuo'
|
|
- 'pipefail'
|
|
- '-c'
|
|
- |
|
|
set -x
|
|
DIGEST=$(gcloud container images describe ${_IMAGE}:${COMMIT_SHA} \
|
|
--format 'value(image_summary.digest)' \
|
|
--project ${PROJECT_ID})
|
|
gcloud beta container binauthz attestations sign-and-create \
|
|
--project="${PROJECT_ID}" \
|
|
--artifact-url="${_IMAGE}@$${DIGEST}" \
|
|
--attestor="${_ATTESTOR}" \
|
|
--keyversion="${_KEY_VERSION}"
|
|
options:
|
|
logging: CLOUD_LOGGING_ONLY
|