-
Botaniker (Bot) authoredBotaniker (Bot) authored
Earthfile 1.51 KiB
VERSION 0.7
MIRROR:
COMMAND
ARG image
FROM ${image}
DO ../.utils/+LABEL --image=mirror --version=main
SAVE IMAGE --cache-hint
distroless-base:
DO +MIRROR --image=gcr.io/distroless/base-debian12:nonroot@sha256:684dee415923cb150793530f7997c96b3cef006c868738a2728597773cf27359
distroless-static-debug:
DO +MIRROR --image=gcr.io/distroless/static:debug-nonroot@sha256:1e5b9bb417e6f4ec664b56d9a73148ce5b4662895fbfddce2f27b945364d7948
distroless-static:
DO +MIRROR --image=gcr.io/distroless/static:nonroot@sha256:112a87f19e83c83711cc81ce8ed0b4d79acd65789682a6a272df57c4a0858534
golang:
DO +MIRROR --image=docker.io/library/golang:1.21.6-bookworm
alpine:
DO +MIRROR --image=docker.io/library/alpine:3.19.0
trivy:
DO +MIRROR --image=docker.io/aquasec/trivy:0.48.3
fedora:
DO +MIRROR --image=quay.io/fedora/fedora:39@sha256:490a2eb8c9ae75eb4f1cef7cd6bcd73c3fcc00e1a4822d3be592ff917b1353cf
cosign:
DO +MIRROR --image=gcr.io/projectsigstore/cosign:v2.2.2
SAVE ARTIFACT /ko-app/cosign ./cosign
# verify-distroless allows to use cosign to verify all mirrored distroless images against Google's build identity
verify-distroless:
FROM +fedora
COPY +cosign/cosign /usr/local/bin/cosign
COPY ./Earthfile ./
RUN cat ./Earthfile | grep 'DO +MIRROR --image=gcr.io/distroless/' | grep -Po 'gcr.io/distroless/[a-z0-9-.@/:]+' | xargs /usr/local/bin/cosign verify --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@distroless.iam.gserviceaccount.com