From 500173e61c3f3e8c3431d263c76250b2e0b976a8 Mon Sep 17 00:00:00 2001
From: Daniel Salazar <podany270895@gmail.com>
Date: Wed, 29 Mar 2023 14:37:57 -0500
Subject: [PATCH] feat(build): #1011 sign container
- Sign makes container cosign and oidc
---
.github/workflows/prod.yml | 837 +------------------------------------
makes.nix | 2 +-
2 files changed, 20 insertions(+), 819 deletions(-)
diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml
index dc1412dfb..f7a3b5fe7 100644
--- a/.github/workflows/prod.yml
+++ b/.github/workflows/prod.yml
@@ -3,834 +3,35 @@ concurrency:
group: ${{ github.actor }}
jobs:
deployContainerImage_makesLatest:
- if: ${{ github.repository == 'fluidattacks/makes' }}
+ if: ${{ github.repository == 'dsalaza4/makes' }}
runs-on: ubuntu-latest
+ permissions:
+ packages: write
+ id-token: write
steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- env:
- GITHUB_ACTOR: ${{ github.actor }}
- GITHUB_TOKEN: ${{ github.token }}
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /deployContainerImage/makesLatest"
- deployContainerImage_makesPinned:
- if: ${{ github.repository == 'fluidattacks/makes' }}
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- env:
- GITHUB_ACTOR: ${{ github.actor }}
- GITHUB_TOKEN: ${{ github.token }}
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /deployContainerImage/makesPinned"
- releaseGitHub:
- if: ${{ github.repository == 'fluidattacks/makes' }}
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: richardsimko/update-tag@5bd0e05b035e02d5da3768dbdcfc4e5e0908623e
- with:
- tag_name: "latest"
- env:
- GITHUB_TOKEN: ${{ github.token }}
- - uses: johnwbyrd/update-release@1d5ec4791e40507e5eca3b4dbf90f0b27e7e4979
- with:
- files: README.md
- release: "latest"
- prerelease: true
- tag: "latest"
- token: ${{ github.token }}
- - uses: richardsimko/update-tag@5bd0e05b035e02d5da3768dbdcfc4e5e0908623e
- with:
- tag_name: "23.04"
- env:
- GITHUB_TOKEN: ${{ github.token }}
- - uses: johnwbyrd/update-release@1d5ec4791e40507e5eca3b4dbf90f0b27e7e4979
- with:
- files: README.md
- release: "23.04"
- prerelease: true
- tag: "23.04"
- token: ${{ github.token }}
- linux_all:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: __all__
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . __all__"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- mac_all:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: __all__
- run: nix-env -if . && m . __all__
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_calculatescorecard:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /calculateScorecard
- env:
- GITHUB_TOKEN: ${{ github.token }}
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /calculateScorecard"
- macos_calculatescorecard:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /calculateScorecard
- env:
- GITHUB_TOKEN: ${{ github.token }}
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- run: nix-env -if . && m . /calculateScorecard
-
- linux_deployTerraform_module:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /deployTerraform/module
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /deployTerraform/module"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_deployTerraform_module:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /deployTerraform/module
- run: nix-env -if . && m . /deployTerraform/module
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_dev_cliMain:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /dev/cliMain
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /dev/cliMain"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_dev_cliMain:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /dev/cliMain
- run: nix-env -if . && m . /dev/cliMain
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_dev_example:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /dev/example
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /dev/example"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_dev_example:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /dev/example
- run: nix-env -if . && m . /dev/example
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_docs_deploy:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /docs/deploy
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /docs/deploy prod"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_envVars_example:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /envVars/example
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /envVars/example"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_envVars_example:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /envVars/example
- run: nix-env -if . && m . /envVars/example
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_formatBash:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /formatBash
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /formatBash"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_formatBash:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /formatBash
- run: nix-env -if . && m . /formatBash
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ - uses: sigstore/cosign-installer@main
- linux_formatNix:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /formatNix
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /formatNix"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_formatNix:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /formatNix
- run: nix-env -if . && m . /formatNix
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_formatPython:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /formatPython
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /formatPython"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_formatPython:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /formatPython
- run: nix-env -if . && m . /formatPython
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_formatTerraform:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /formatTerraform
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /formatTerraform"
+ - name: test
+ run: cosign version && cosign verify --help
env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_formatTerraform:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /formatTerraform
- run: nix-env -if . && m . /formatTerraform
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ COSIGN_EXPERIMENTAL: 1
- linux_formatYaml:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /formatYaml
+ - name: Login to GitHub
+ uses: docker/login-action@v1.9.0
with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /formatYaml"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_formatYaml:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /formatYaml
- run: nix-env -if . && m . /formatYaml
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ github.token }}
- linux_helloWorld:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /helloWorld
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /helloWorld"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_helloWorld:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /helloWorld
- run: nix-env -if . && m . /helloWorld
+ - name: Sign the images
+ run: cosign sign -y ghcr.io/dsalaza4/makes:latest
env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ COSIGN_EXPERIMENTAL: 1
- linux_license:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /license
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /license"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_license:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /license
- run: nix-env -if . && m . /license
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintBash:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintBash
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintBash"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintBash:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintBash
- run: nix-env -if . && m . /lintBash
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintClojure_test:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintClojure/test
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintClojure/test"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintClojure_test:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintClojure
- run: nix-env -if . && m . /lintClojure/test
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintGitCommitMsg:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- with:
- fetch-depth: 0
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintGitCommitMsg
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintGitCommitMsg"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintGitMailMap:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- with:
- fetch-depth: 0
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintGitMailMap
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintGitMailMap"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintGitMailMap:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintGitMailMap
- run: nix-env -if . && m . /lintGitMailMap
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintMarkdown_all:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintMarkdown/all
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintMarkdown/all"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintMarkdown_all:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintMarkdown/all
- run: nix-env -if . && m . /lintMarkdown/all
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintNix:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintNix
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintNix"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintNix:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintNix
- run: nix-env -if . && m . /lintNix
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintPython_dirOfModules_makes:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintPython/dirOfModules/makes
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintPython/dirOfModules/makes"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintPython_dirOfModules_makes:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintPython/dirOfModules/makes
- run: nix-env -if . && m . /lintPython/dirOfModules/makes
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintPython_dirOfModules_makes_main:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintPython/dirOfModules/makes/main
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintPython/dirOfModules/makes/main"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintPython_dirOfModules_makes_main:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintPython/dirOfModules/makes/main
- run: nix-env -if . && m . /lintPython/dirOfModules/makes/main
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintPython_imports_makes:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintPython/imports/makes
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintPython/imports/makes"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintPython_imports_makes:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintPython/imports/makes
- run: nix-env -if . && m . /lintPython/imports/makes
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintPython_module_cliMain:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintPython/module/cliMain
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintPython/module/cliMain"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintPython_module_cliMain:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintPython/module/cliMain
- run: nix-env -if . && m . /lintPython/module/cliMain
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintTerraform_module:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintTerraform/module
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintTerraform/module"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintTerraform_module:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintTerraform/module
- run: nix-env -if . && m . /lintTerraform/module
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintWithAjv_test:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintWithAjv/test
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintWithAjv/test"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_lintWithLizard_all:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /lintWithLizard/all
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /lintWithLizard/all"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_lintWithLizard_all:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /lintWithLizard/all
- run: nix-env -if . && m . /lintWithLizard/all
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_secretsForEnvFromSops_example:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /secretsForEnvFromSops/example
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /secretsForEnvFromSops/example"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_secretsForEnvFromSops_example:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /secretsForEnvFromSops/example
- run: nix-env -if . && m . /secretsForEnvFromSops/example
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_secretsForGpgFromEnv_example:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /secretsForGpgFromEnv/example
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /secretsForGpgFromEnv/example"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_secretsForGpgFromEnv_example:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /secretsForGpgFromEnv/example
- run: nix-env -if . && m . /secretsForGpgFromEnv/example
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_securePythonWithBandit_cli:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /securePythonWithBandit/cli
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /securePythonWithBandit/cli"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_securePythonWithBandit_cli:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /securePythonWithBandit/cli
- run: nix-env -if . && m . /securePythonWithBandit/cli
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_taintTerraform_module:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /taintTerraform/module
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /taintTerraform/module"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_taintTerraform_module:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /taintTerraform/module
- run: nix-env -if . && m . /taintTerraform/module
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_testPython_example:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /testPython/example
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /testPython/example"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_testPython_example:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /testPython/example
- run: nix-env -if . && m . /testPython/example
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_tests_calculateCvss3:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /tests/calculateCvss3
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /tests/calculateCvss3"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_tests_calculateCvss3:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /tests/calculateCvss3
- run: nix-env -if . && m . /tests/calculateCvss3
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_tests_makeSearchPaths:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /tests/makeSearchPaths
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /tests/makeSearchPaths"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_tests_makeSearchPaths:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@v15
- - name: /tests/makeSearchPaths
- run: nix-env -if . && m . /tests/makeSearchPaths
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_tests_makeTemplate:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /tests/makeTemplate
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /tests/makeTemplate"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_tests_makeTemplate:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@v15
- - name: /tests/makeTemplate
- run: nix-env -if . && m . /tests/makeTemplate
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_tests_scriptWithHelp:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /tests/scriptWithHelp
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /tests/scriptWithHelp"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_tests_scriptWithHelp:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@v15
- - name: /tests/scriptWithHelp
- run: nix-env -if . && m . /tests/scriptWithHelp
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_tests_secretsForGpgFromEnv:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /tests/secretsForGpgFromEnv
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /tests/secretsForGpgFromEnv"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_tests_secretsForGpgFromEnv:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /tests/secretsForGpgFromEnv
- run: nix-env -if . && m . /tests/secretsForGpgFromEnv
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
- linux_testTerraform_module:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: docker://docker.io/nixos/nix@sha256:1d13ae379fb8caf3f859c5ce7ec6002643d60cf8b7b6147b949cc34880c93bac
- name: /testTerraform/module
- with:
- set-safe-directory: /github/workspace
- args: sh -c "nix-env -if . && m . /testTerraform/module"
- env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
- macos_testTerraform_module:
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: cachix/install-nix-action@451e61183802597c1febd6ca3cf18aa163f93a06
- - name: /testTerraform/module
- run: nix-env -if . && m . /testTerraform/module
+ - name: Verify the pushed tags
+ run: cosign verify --certificate-identity-regexp ".*" --certificate-oidc-issuer-regexp ".*" ghcr.io/dsalaza4/makes:latest
env:
- CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+ COSIGN_EXPERIMENTAL: 1
name: prod
on:
push:
diff --git a/makes.nix b/makes.nix
index a4b06a48d..34dfaf6c9 100644
--- a/makes.nix
+++ b/makes.nix
@@ -34,7 +34,7 @@
};
registry = "ghcr.io";
src = outputs."/container-image";
- tag = "fluidattacks/makes:latest";
+ tag = "dsalaza4/makes:latest";
};
makesPinned = {
attempts = 3;