From 24a9279c8c0059c4ddb0ddd520203b5510050975 Mon Sep 17 00:00:00 2001 From: Gerald Pinder Date: Wed, 21 Aug 2024 16:04:37 -0400 Subject: [PATCH] fix: Fix docker login for oauth logins --- .github/workflows/build-pr.yml | 73 ++++++++++++++++++++++++++++++++ process/drivers/cosign_driver.rs | 3 +- process/drivers/docker_driver.rs | 5 ++- utils/src/constants.rs | 2 + utils/src/credentials.rs | 4 +- 5 files changed, 83 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index 26207dd8..ca17a767 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -313,6 +313,79 @@ jobs: grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1 bluebuild build --retry-push -S sigstore --push -vv recipes/recipe.yml recipes/recipe-39.yml + docker-build-oauth-login: + timeout-minutes: 60 + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + needs: + - build + if: needs.build.outputs.push == 'true' + + steps: + - name: Google Auth + id: auth + uses: "google-github-actions/auth@v2" + with: + token_format: "access_token" + service_account: ${{ secrets.SERVICE_ACCOUNT }} + project_id: bluebuild-oidc + create_credentials_file: false + workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY }} + + - name: Maximize build space + uses: ublue-os/remove-unwanted-software@v6 + + - uses: sigstore/cosign-installer@v3.3.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + install: true + + - uses: actions-rust-lang/setup-rust-toolchain@v1 + + - name: Docker Auth + id: docker-auth + uses: "docker/login-action@v3" + with: + username: "oauth2accesstoken" + password: "${{ steps.auth.outputs.access_token }}" + registry: us-east1-docker.pkg.dev + + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + + - name: Install bluebuild + run: | + cargo install --path . --debug --all-features + + - name: Expose GitHub Runtime + uses: crazy-max/ghaction-github-runtime@v3 + + - name: Run Build + env: + GH_PR_EVENT_NUMBER: ${{ github.event.number }} + COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }} + BB_BUILDKIT_CACHE_GHA: true + run: | + cd integration-tests/test-repo + bluebuild template -vv | tee Containerfile + grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1 + bluebuild build \ + --registry us-east1-docker.pkg.dev \ + --registry-namespace bluebuild-oidc/bluebuild \ + --retry-push \ + -S sigstore \ + --push \ + -vv \ + recipes/recipe.yml recipes/recipe-39.yml + podman-build: timeout-minutes: 60 runs-on: ubuntu-latest diff --git a/process/drivers/cosign_driver.rs b/process/drivers/cosign_driver.rs index 70f22ef5..9a39821a 100644 --- a/process/drivers/cosign_driver.rs +++ b/process/drivers/cosign_driver.rs @@ -2,7 +2,7 @@ use std::{fmt::Debug, fs, io::Write, path::Path, process::Stdio}; use blue_build_utils::{ cmd, - constants::{COSIGN_PASSWORD, COSIGN_PUB_PATH, COSIGN_YES}, + constants::{COSIGN_PASSWORD, COSIGN_PUB_PATH, COSIGN_YES, DOCKER_CONTENT_TRUST}, credentials::Credentials, }; use log::{debug, trace}; @@ -92,6 +92,7 @@ impl SigningDriver for CosignDriver { username, "--password-stdin", registry, + DOCKER_CONTENT_TRUST => "false", stdin = Stdio::piped(), stdout = Stdio::piped(), stderr = Stdio::piped(), diff --git a/process/drivers/docker_driver.rs b/process/drivers/docker_driver.rs index 9bfe9877..86102954 100644 --- a/process/drivers/docker_driver.rs +++ b/process/drivers/docker_driver.rs @@ -9,7 +9,9 @@ use std::{ use blue_build_utils::{ cmd, - constants::{BB_BUILDKIT_CACHE_GHA, CONTAINER_FILE, DOCKER_HOST, SKOPEO_IMAGE}, + constants::{ + BB_BUILDKIT_CACHE_GHA, CONTAINER_FILE, DOCKER_CONTENT_TRUST, DOCKER_HOST, SKOPEO_IMAGE, + }, credentials::Credentials, string_vec, }; @@ -191,6 +193,7 @@ impl BuildDriver for DockerDriver { username, "--password-stdin", registry, + DOCKER_CONTENT_TRUST => "false", stdin = Stdio::piped(), stdout = Stdio::piped(), stderr = Stdio::piped(), diff --git a/utils/src/constants.rs b/utils/src/constants.rs index 55d77641..f6613238 100644 --- a/utils/src/constants.rs +++ b/utils/src/constants.rs @@ -26,6 +26,8 @@ pub const BB_USERNAME: &str = "BB_USERNAME"; // Docker vars pub const DOCKER_HOST: &str = "DOCKER_HOST"; +pub const DOCKER_CONTENT_TRUST: &str = "DOCKER_CONTENT_TRUST"; +pub const OAUTH_TOKEN_USER: &str = "oauth2accesstoken"; // Cosign vars pub const COSIGN_PASSWORD: &str = "COSIGN_PASSWORD"; diff --git a/utils/src/credentials.rs b/utils/src/credentials.rs index b33ca2a5..2ce2427d 100644 --- a/utils/src/credentials.rs +++ b/utils/src/credentials.rs @@ -11,7 +11,7 @@ use typed_builder::TypedBuilder; use crate::{ constants::{ BB_PASSWORD, BB_REGISTRY, BB_USERNAME, CI_REGISTRY, CI_REGISTRY_PASSWORD, CI_REGISTRY_USER, - GITHUB_ACTIONS, GITHUB_ACTOR, GITHUB_TOKEN, + GITHUB_ACTIONS, GITHUB_ACTOR, GITHUB_TOKEN, OAUTH_TOKEN_USER, }, string, }; @@ -75,7 +75,7 @@ static ENV_CREDENTIALS: LazyLock> = LazyLock::new(|| { (Some(username), _, _, _, _) if !username.is_empty() => username, (_, _, _, Some(DockerCredential::UsernamePassword(username, _)), _) | (_, _, _, _, Some(DockerCredential::UsernamePassword(username, _))) - if !username.is_empty() => + if !username.is_empty() && username != OAUTH_TOKEN_USER => { username.clone() }