-
-
Notifications
You must be signed in to change notification settings - Fork 166
/
Copy pathsign.bzl
81 lines (66 loc) · 2.36 KB
/
sign.bzl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
"Implementation details for sign rule"
_DOC = """Sign an oci_image using cosign binary at a remote registry.
It signs the image by its digest determined beforehand.
```starlark
oci_image(
name = "image"
)
cosign_sign(
name = "sign",
image = ":image",
repository = "index.docker.io/org/image"
)
```
`repository` attribute can be overridden using the `--repository` flag.
```starlark
oci_image(
name = "image"
)
cosign_sign(
name = "sign",
image = ":image",
repository = "index.docker.io/org/image"
)
```
run `bazel run :sign -- --repository=index.docker.io/org/test`
"""
_attrs = {
"image": attr.label(allow_single_file = True, mandatory = True, doc = "Label to an oci_image"),
"repository": attr.string(mandatory = True, doc = """\
Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.
Digests and tags are not allowed.
"""),
"_sign_sh_tpl": attr.label(default = "sign.sh.tpl", allow_single_file = True),
}
def _cosign_sign_impl(ctx):
cosign = ctx.toolchains["@rules_oci//cosign:toolchain_type"]
jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
if ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1:
fail("repository attribute should not contain digest or tag.")
executable = ctx.actions.declare_file("cosign_sign_{}.sh".format(ctx.label.name))
ctx.actions.expand_template(
template = ctx.file._sign_sh_tpl,
output = executable,
is_executable = True,
substitutions = {
"{{cosign_path}}": cosign.cosign_info.binary.short_path,
"{{jq_path}}": jq.jqinfo.bin.short_path,
"{{image_dir}}": ctx.file.image.short_path,
"{{fixed_args}}": " ".join(["--repository", ctx.attr.repository]),
},
)
runfiles = ctx.runfiles(files = [ctx.file.image])
runfiles = runfiles.merge(ctx.attr.image[DefaultInfo].default_runfiles)
runfiles = runfiles.merge(jq.default.default_runfiles)
runfiles = runfiles.merge(cosign.default.default_runfiles)
return DefaultInfo(executable = executable, runfiles = runfiles)
cosign_sign = rule(
implementation = _cosign_sign_impl,
attrs = _attrs,
doc = _DOC,
executable = True,
toolchains = [
"@rules_oci//cosign:toolchain_type",
"@aspect_bazel_lib//lib:jq_toolchain_type",
],
)