-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmodules
More file actions
57 lines (52 loc) · 2.97 KB
/
modules
File metadata and controls
57 lines (52 loc) · 2.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
url_deb='https://snapshot.debian.org/archive/debian/?year='$(date +%Y)'&month='$(date +%-m)
curl_deb=$(curl -s $url_deb | grep '<a href="'$(date +%Y%m) | tail -n 1 - | cut -d'"' -f2 | cut -d'/' -f1)
url_deb_sec='https://snapshot.debian.org/archive/debian-security/?year='$(date +%Y)'&month='$(date +%-m)
curl_deb_sec=$(curl -s $url_deb_sec | grep '<a href="'$(date +%Y%m) | tail -n 1 - | cut -d'"' -f2 | cut -d'/' -f1)
url_src='https://raw.githubusercontent.com/'$REPO'/'$PROJECT'/refs/heads/builder/.pinned_ver'
curl_cur_deb=$(curl -s $url_src | grep debian= | cut -d'=' -f2)
curl_cur_deb_sec=$(curl -s $url_src | grep debian_security= | cut -d'=' -f2)
cur_deb=$(cat .pinned_ver | grep debian= | cut -d'=' -f2)
cur_deb_sec=$(cat .pinned_ver | grep debian_security= | cut -d'=' -f2)
if [[ "$curl_cur_deb" == *$cur_deb* ]]; then
export -- debian=$curl_deb
export -- debian_security=$curl_deb_sec
sed -i "s/$cur_deb/$curl_deb/" .pinned_ver
sed -i "s/$cur_deb_sec/$curl_deb_sec/" .pinned_ver
sed -i "s/$cur_deb/$curl_deb/" readme.md
sed -i "s/$cur_deb_sec/$curl_deb_sec/" readme.md
echo "Pinned Version Updated to deb:$curl_deb and deb_sec:$curl_deb_sec" && echo
fi
for module in debian-slim debian debian-extra
do
pushd $module/
rm -f $module.* readme.md
$docker buildx create \
--name $module-builder --buildkitd-flags "--oci-worker-rootless=true" \
--driver docker-container --driver-opt "network=host,default-load=true" --bootstrap --use
$docker buildx build --push \
--tag $REPO/$module:$rel_date \
--metadata-file $module.meta.json \
--platform linux/arm64,linux/amd64 \
--attest "type=provenance,mode=max" \
--label org.opencontainers.image.vendor=$REPO \
--label org.opencontainers.image.licenses=GPL-3.0 \
--build-arg SOURCE_DATE_EPOCH=$source_date_epoch \
--build-arg DEBIAN_SECURITY=$debian_security \
--build-arg DEBIAN=$debian \
--build-arg REL_DATE=$rel_date \
--build-arg SOURCE="$source" .
$docker buildx stop $module-builder && wait
$docker buildx rm -f --all-inactive && wait
$docker buildx prune -f -a && wait && echo
scan_using_grype $module $REPO/$module:$rel_date $rel_date
echo '# '$REPO/$module:$rel_date > $module.image.digest
cat $module.meta.json | jq .[] | tail -n 2 | grep sha256 | sed 's/\"//g' >> $module.image.digest
cat $module.image.digest >> readme.md && cat readme.md
cosign_run=$(echo "script -q -c 'cosign verify-attestation docker.io/$REPO/$module:$rel_date \
--certificate-oidc-issuer https://github.com/login/oauth --certificate-identity $SIGSTORE_USR \
--type spdxjson > $module.image.sig' /dev/null > $module.image.attested")
echo $cosign_run | bash || echo $cosign_run | bash || exit 1
cat $module.image.attested && echo && git status && git add -A && git status && read -p 'Press enter to launch pinentry'
git commit -a -S -m "Successful Build of $module:$rel_date" && git push --set-upstream origin HEAD:$module
popd && echo
done