2023-06-22 20:44:27 -04:00
# `image-workflow`
This sets up a Cloud Run app to listen for `registry.push` events to a private Chainguard Registry group, and triggers a GitHub Actions workflow with that image ref as an input.
2023-06-23 09:19:09 -04:00
This lets you define GitHub Actions workflows to pull and test images in response to pushes.
# Usage
2023-06-22 20:49:41 -04:00
To start, create a GitHub workflow at `.github/workflows/workflow.yaml` , with an input named `image` :
2023-06-22 20:44:27 -04:00
2023-06-22 20:49:41 -04:00
```
on:
workflow_dispatch:
inputs:
image:
description: 'Image to test'
required: true
jobs:
test-image:
runs-on: ubuntu-latest
steps:
2023-06-23 09:19:09 -04:00
# This sets up auth with the registry to be able to pull the image.
- uses: chainguard-dev/actions/setup-chainctl@main
with:
identity: TODO # We'll fill this in later.
2023-06-22 20:49:41 -04:00
- run: |
# Your tests go here.
2023-06-23 09:19:09 -04:00
docker pull ${{ github.event.inputs.image }}
2023-06-22 20:49:41 -04:00
```
2023-06-23 09:19:09 -04:00
Then `terraform apply` the module (e.g., from the root of this repo):
2023-06-22 20:49:41 -04:00
```
module "image-workflow" {
2023-08-17 21:21:07 -04:00
source = "./image-workflow/iac" # TODO: move to enforce-events
2023-06-22 20:44:27 -04:00
2023-06-22 20:49:41 -04:00
# name is used to prefix resources created by this demo application
# where possible.
name = "chainguard-dev"
# This is the GCP project ID in which certain resource will live including:
# - The container image for this application,
# - The Cloud Run service hosting this application,
project_id = "< project-id > "
# The Chainguard IAM group from which we expect to receive events.
# This is used to authenticate that the Chainguard events are intended
# for you, and not another user.
# Images pushed to repos under this group will trigger workflows.
group = "< group-id > "
# These describe the GitHub organization, repository and workflow to trigger.
github_org = "my-org"
github_repo = "my-repo"
github_workflow_id = "workflow.yaml"
# Location of the Cloud Run subscriber.
# location = "us-central1" (default)
}
```
2023-06-22 20:44:27 -04:00
2023-06-23 09:19:09 -04:00
## Setting your GitHub Personal Access Token
2023-06-22 20:44:27 -04:00
Once things have been provisioned, this module outputs a `secret-command`
containing the command to run to upload your Github "personal access token" to
the Google Secret Manager secret the application will use, looking something
like this:
```shell
echo -n YOUR GITHUB PAT | \
gcloud --project ... secrets versions add ... --data-file=-
```
The personal access token needs `actions:write` to trigger workflows.
2023-06-23 09:19:09 -04:00
## Setting your puller identity
The module also outputs the identity that was created, which can be assumed by the
GitHub Actions workflow. This is the value that goes in the `setup-chainctl` step
of your workflow above.