forked from GoogleContainerTools/distroless
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudbuild.yaml
79 lines (68 loc) · 2.25 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
timeout: 3600s # 60 minutes
options:
machineType: N1_HIGHCPU_8
steps:
# Unfortunately gcr.io/cloud-marketplace-containers/google/bazel is
# no longer maintained. The cloud-build project is, but does not tag
# images with bazel versions. The SHA hash was found manually and
# verified with:
#
# docker pull gcr.io/cloud-builders/bazel
# docker run --rm -ti gcr.io/cloud-builders/bazel version
# docker image inspect gcr.io/cloud-builders/bazel --format '{{.Id}}'
#
# See: https://github.com/GoogleCloudPlatform/cloud-builders/issues/667
- name: gcr.io/cloud-builders/bazel@sha256:cb5766ff99f3df2fa7db38ea4e07423e84b36b4c7236e0f21197e16dc979947f
env:
- PROJECT_ID=${PROJECT_ID}
- COMMIT_SHA=${COMMIT_SHA}
- REGISTRY=gcr.io
entrypoint: sh
args:
- -c
- |
#!/bin/sh
set -o errexit
set -o xtrace
# package manager needs wget
apt-get install wget
# Make sure python points to python3
update-alternatives --install /usr/bin/python python /usr/bin/python3 0
# fetch all dependencies with retries and backoff
for i in $(seq 5); do bazel fetch --loading_phase_threads=1 //... && break || sleep 20; done
bazel run //:publish
bazel build all.tar
- name: docker
env:
- PROJECT_ID=${PROJECT_ID}
- COMMIT_SHA=${COMMIT_SHA}
- REGISTRY=gcr.io
entrypoint: ./cloudbuild_docker.sh
- name: ubuntu
entrypoint: ./cloudbuild_jq.sh
- name: gcr.io/projectsigstore/cosign:v1.9.0@sha256:ef2d14e16dbb7786d8713e4898a8512e69ace4105f5b371a9c115ffcc3e85d84
env:
- PROJECT_ID=${PROJECT_ID}
- COMMIT_SHA=${COMMIT_SHA}
- REGISTRY=gcr.io
# Workaround for: https://github.com/GoogleContainerTools/distroless/issues/914
# /tmp has permissions 777
- TUF_ROOT=/tmp
entrypoint: sh
args:
- -c
- ./cloudbuild_cosign.sh --key $_KMS_VAL
- name: gcr.io/projectsigstore/cosign:v1.9.0@sha256:ef2d14e16dbb7786d8713e4898a8512e69ace4105f5b371a9c115ffcc3e85d84
env:
- PROJECT_ID=${PROJECT_ID}
- COMMIT_SHA=${COMMIT_SHA}
- REGISTRY=gcr.io
# Workaround for: https://github.com/GoogleContainerTools/distroless/issues/914
# /tmp has permissions 777
- TUF_ROOT=/tmp
- COSIGN_EXPERIMENTAL=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
entrypoint: sh
args:
- -c
- ./cloudbuild_cosign.sh