-
Notifications
You must be signed in to change notification settings - Fork 7
80 lines (78 loc) · 2.83 KB
/
docker-image-mirror-workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: docker-image-mirroring
on:
workflow_call:
inputs:
destination-registry:
description: 'Destination Docker registry'
required: false
type: string
default: 'ghcr.io/codepraxis-io'
upstream-registry:
required: true
type: string
upstream-image-list:
required: true
type: string
sign-image:
required: false
type: string
default: "true"
secrets:
DESTINATION_REGISTRY_USERNAME:
required: true
DESTINATION_REGISTRY_PASSWORD:
required: true
COSIGN_PRIVATE_KEY:
required: true
COSIGN_PRIVATE_KEY_PASSWORD:
required: true
COSIGN_PUBLIC_KEY:
required: true
jobs:
mirror-docker-image:
strategy:
matrix:
upstream-image: ${{ fromJSON(inputs.upstream-image-list) }}
runs-on: ubuntu-latest
env:
IMAGE_AND_TAG: ${{ matrix.upstream-image }}
steps:
- name: Get image and tag
id: prep
shell: bash
run: |
echo IMAGE_AND_TAG=$IMAGE_AND_TAG
IMAGE=$(echo ${IMAGE_AND_TAG} | cut -f 1 -d ':')
TAG=$(echo ${IMAGE_AND_TAG} | cut -f 2 -d ':')
echo IMAGE=$IMAGE
echo TAG=$TAG
echo ::set-output name=image::${IMAGE}
echo ::set-output name=tag::${TAG}
- name: Login to destination registry
shell: bash
run: |
docker login --username ${{ secrets.DESTINATION_REGISTRY_USERNAME }} --password ${{ secrets.DESTINATION_REGISTRY_PASSWORD }} ${{ inputs.destination-registry }}
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.12.1'
- name: Check cosign install
run: cosign version
- name: Pull Docker image from upstream and push to destination registry
shell: bash
env:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PUBLIC_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PRIVATE_KEY_PASSWORD}}
run: |
DESTINATION_REPOSITORY="${{ inputs.destination-registry }}/${{ steps.prep.outputs.image }}:${{ steps.prep.outputs.tag }}"
UPSTREAM_DOCKER_IMAGE="${{ inputs.upstream-registry }}/${{ steps.prep.outputs.image }}:${{ steps.prep.outputs.tag }}"
echo DESTINATION_REPOSITORY=$DESTINATION_REPOSITORY
echo UPSTREAM_DOCKER_IMAGE=$UPSTREAM_DOCKER_IMAGE
docker pull ${UPSTREAM_DOCKER_IMAGE}
docker tag ${UPSTREAM_DOCKER_IMAGE} ${DESTINATION_REPOSITORY}
docker push ${DESTINATION_REPOSITORY}
if [ "${{ inputs.sign-image }}" == "true" ]; then
cosign sign --key env://COSIGN_PRIVATE_KEY ${DESTINATION_REPOSITORY}
cosign verify --key env://COSIGN_PUBLIC_KEY ${DESTINATION_REPOSITORY}
fi