diff --git a/image-workflow/README.md b/image-workflow/README.md index 70985ef..9afafe0 100644 --- a/image-workflow/README.md +++ b/image-workflow/README.md @@ -2,12 +2,55 @@ This sets up a Cloud Run app to listen for `registry.push` events to a private Chainguard Registry group, and triggers a GitHub Actions workflow with that image ref as an input. -The Terraform does everything: +To start, create a GitHub workflow at `.github/workflows/workflow.yaml`, with an input named `image`: -- builds the mirroring app into an image using `ko_build` -- deploys the app to a Cloud Run service +``` +on: + workflow_dispatch: + inputs: + image: + description: 'Image to test' + required: true -`TODO: package as a module like enforce-events` +jobs: + test-image: + runs-on: ubuntu-latest + steps: + - run: | + # Your tests go here. + echo ding ding testing ${{ github.event.inputs.image }} +``` + +Then Terraform apply the module (e.g., from the root of this repo): + +``` +module "image-workflow" { + source = "./image-workflow" # TODO: move to enforce-events + + # name is used to prefix resources created by this demo application + # where possible. + name = "chainguard-dev" + + # This is the GCP project ID in which certain resource will live including: + # - The container image for this application, + # - The Cloud Run service hosting this application, + project_id = "" + + # The Chainguard IAM group from which we expect to receive events. + # This is used to authenticate that the Chainguard events are intended + # for you, and not another user. + # Images pushed to repos under this group will trigger workflows. + group = "" + + # These describe the GitHub organization, repository and workflow to trigger. + github_org = "my-org" + github_repo = "my-repo" + github_workflow_id = "workflow.yaml" + + # Location of the Cloud Run subscriber. + # location = "us-central1" (default) +} +``` Once things have been provisioned, this module outputs a `secret-command` containing the command to run to upload your Github "personal access token" to