1
0
Fork 0
mirror of https://github.com/imjasonh/terraform-playground synced 2026-07-06 23:12:22 +00:00
terraform-playground/image-workflow
Jason Hall 3d75136654
widespread improvements
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-08-17 21:21:07 -04:00
..
cmd/app WIP: image workflow 2023-06-22 20:41:22 -04:00
hack WIP: image workflow 2023-06-22 20:41:22 -04:00
iac also set up Chainguard puller identity 2023-06-23 09:19:09 -04:00
go.mod WIP: image workflow 2023-06-22 20:41:22 -04:00
go.sum WIP: image workflow 2023-06-22 20:41:22 -04:00
README.md widespread improvements 2023-08-17 21:21:07 -04:00

image-workflow

This sets up a Cloud Run app to listen for registry.push events to a private Chainguard Registry group, and triggers a GitHub Actions workflow with that image ref as an input.

This lets you define GitHub Actions workflows to pull and test images in response to pushes.

Usage

To start, create a GitHub workflow at .github/workflows/workflow.yaml, with an input named image:

on:
  workflow_dispatch:
    inputs:
      image:
        description: 'Image to test'
        required: true

jobs:
  test-image:
    runs-on: ubuntu-latest
    steps:
      # This sets up auth with the registry to be able to pull the image.
      - uses: chainguard-dev/actions/setup-chainctl@main
        with:
          identity: TODO  # We'll fill this in later.

      - run: |
          # Your tests go here.
          docker pull ${{ github.event.inputs.image }}

Then terraform apply the module (e.g., from the root of this repo):

module "image-workflow" {
  source = "./image-workflow/iac"  # TODO: move to enforce-events

  # name is used to prefix resources created by this demo application
  # where possible.
  name = "chainguard-dev"

  # This is the GCP project ID in which certain resource will live including:
  #  - The container image for this application,
  #  - The Cloud Run service hosting this application,
  project_id = "<project-id>"

  # The Chainguard IAM group from which we expect to receive events.
  # This is used to authenticate that the Chainguard events are intended
  # for you, and not another user.
  # Images pushed to repos under this group will trigger workflows.
  group = "<group-id>"

  # These describe the GitHub organization, repository and workflow to trigger.
  github_org         = "my-org"
  github_repo        = "my-repo"
  github_workflow_id = "workflow.yaml"

  # Location of the Cloud Run subscriber.
  # location = "us-central1" (default)
}

Setting your GitHub Personal Access Token

Once things have been provisioned, this module outputs a secret-command containing the command to run to upload your Github "personal access token" to the Google Secret Manager secret the application will use, looking something like this:

echo -n YOUR GITHUB PAT | \
  gcloud --project ... secrets versions add ... --data-file=-

The personal access token needs actions:write to trigger workflows.

Setting your puller identity

The module also outputs the identity that was created, which can be assumed by the GitHub Actions workflow. This is the value that goes in the setup-chainctl step of your workflow above.