# `image-workflow` This sets up a Cloud Run app to listen for `registry.push` events to a private Chainguard Registry group, and triggers a GitHub Actions workflow with that image ref as an input. This lets you define GitHub Actions workflows to pull and test images in response to pushes. # Usage To start, create a GitHub workflow at `.github/workflows/workflow.yaml`, with an input named `image`: ``` on: workflow_dispatch: inputs: image: description: 'Image to test' required: true jobs: test-image: runs-on: ubuntu-latest steps: # This sets up auth with the registry to be able to pull the image. - uses: chainguard-dev/actions/setup-chainctl@main with: identity: TODO # We'll fill this in later. - run: | # Your tests go here. docker pull ${{ github.event.inputs.image }} ``` Then `terraform apply` the module (e.g., from the root of this repo): ``` module "image-workflow" { source = "./image-workflow/iac" # TODO: move to enforce-events # name is used to prefix resources created by this demo application # where possible. name = "chainguard-dev" # This is the GCP project ID in which certain resource will live including: # - The container image for this application, # - The Cloud Run service hosting this application, project_id = "" # The Chainguard IAM group from which we expect to receive events. # This is used to authenticate that the Chainguard events are intended # for you, and not another user. # Images pushed to repos under this group will trigger workflows. group = "" # These describe the GitHub organization, repository and workflow to trigger. github_org = "my-org" github_repo = "my-repo" github_workflow_id = "workflow.yaml" # Location of the Cloud Run subscriber. # location = "us-central1" (default) } ``` ## Setting your GitHub Personal Access Token Once things have been provisioned, this module outputs a `secret-command` containing the command to run to upload your Github "personal access token" to the Google Secret Manager secret the application will use, looking something like this: ```shell echo -n YOUR GITHUB PAT | \ gcloud --project ... secrets versions add ... --data-file=- ``` The personal access token needs `actions:write` to trigger workflows. ## Setting your puller identity The module also outputs the identity that was created, which can be assumed by the GitHub Actions workflow. This is the value that goes in the `setup-chainctl` step of your workflow above.