Added Cosign

DazWilkin · Jun 27, 2023 · 9408417 · 9408417
1 parent 8b2c627
commit 9408417
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 20 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,19 +12,20 @@ jobs:
     env:
       REPO: dazwilkin/koyeb-exporter
     steps:
-      - name: Checkout
+      - name: checkout
         uses: actions/checkout@v3
-      - name: Setup
+      - name: setup
         uses: docker/setup-buildx-action@v2
-      - name: Login
+      - name: login
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GHCR }}
-      - name: Get kernel version
+      - name: get-version
         run: echo "VERSION=$(uname --kernel-release)" >> ${GITHUB_ENV}
-      - name: build-push
+      - name: docker-build-push
+        id: docker-build-push
         uses: docker/build-push-action@v4
         with:
           context: .
@@ -34,21 +35,22 @@ jobs:
             COMMIT=${{ github.sha }}
           tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
           push: true
-    #   - name: Sigstore installer
-    #     uses: sigstore/cosign-installer@main
-    #   - name: Write signing key to disk (only needed for `cosign sign --key`)
-    #     run: echo "${{ secrets.SIGNING }}" > ./cosign.key
-    #   - name: Sign container image
-    #     run: |
-    #       cosign sign \
-    #       --key=./cosign.key \
-    #       --annotations="repo=${{ github.repository }}" \
-    #       --annotations="workflow=${{ github.workflow }}" \
-    #       --annotations="commit=${{ github.sha }}" \
-    #       --annotations="version=${{ env.VERSION }}" \
-    #       ghcr.io/${{ env.REPO }}:${{ github.sha }}
-    #     env:
-    #       COSIGN_PASSWORD: ""
+      - name: install-cosign
+        uses: sigstore/cosign-installer@main
+      - name: write-key
+        run: echo "${{ secrets.SIGNING }}" > ./cosign.key
+      - name: sign-image
+        run: |
+          cosign sign \
+          --yes \
+          --key=./cosign.key \
+          --annotations="repo=${{ github.repository }}" \
+          --annotations="workflow=${{ github.workflow }}" \
+          --annotations="commit=${{ github.sha }}" \
+          --annotations="version=${{ env.VERSION }}" \
+          ghcr.io/${{ env.REPO }}@${{ steps.docker-build-push.outputs.digest }}
+        env:
+          COSIGN_PASSWORD: ""
     #   - name: Revise occurrences of the image
     #     run: |
     #       git config --local user.email "action@github.com"

diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+# Cosign private key
+cosign.key
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZQFexW07am2f7/J8YixsYxRF9m+h
+oN5o7SBm4Xv20ZuYajFX5DPFGmnf90+OdOhu5R/a5uiYe0+cHbeawS2kOg==
+-----END PUBLIC KEY-----