From f24a424e057521b2985f3d1347e88f787a841185 Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 29 Apr 2024 15:32:57 +0300 Subject: [PATCH 1/6] ci: sign images Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --- .github/workflows/docker_build_image.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml index 170250f56ca..451419924d7 100644 --- a/.github/workflows/docker_build_image.yml +++ b/.github/workflows/docker_build_image.yml @@ -59,6 +59,9 @@ jobs: with: egress-policy: audit + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -218,3 +221,14 @@ jobs: - name: Image digest if: steps.build_docker_image.outputs.build && steps.prep.outputs.build run: echo ${{ steps.docker_build.outputs.digest }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.prep.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} From 17ba7c6739e9ea3b98ee8a7a340cf7a5c074bd51 Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 29 Apr 2024 15:40:07 +0300 Subject: [PATCH 2/6] ci: skip signing if image is not build Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --- .github/workflows/docker_build_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml index 451419924d7..f89ef6ae4eb 100644 --- a/.github/workflows/docker_build_image.yml +++ b/.github/workflows/docker_build_image.yml @@ -223,6 +223,7 @@ jobs: run: echo ${{ steps.docker_build.outputs.digest }} - name: Sign the images with GitHub OIDC Token + if: steps.build_docker_image.outputs.build && steps.prep.outputs.build env: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.prep.outputs.tags }} From e6f0531b0391a3fe55137eeaa71ace606fc535a4 Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 29 Apr 2024 17:51:48 +0300 Subject: [PATCH 3/6] ci: add cosign private key Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --- .github/workflows/docker_build_image.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml index f89ef6ae4eb..0df8940a02f 100644 --- a/.github/workflows/docker_build_image.yml +++ b/.github/workflows/docker_build_image.yml @@ -227,9 +227,11 @@ jobs: env: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.prep.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | images="" for tag in ${TAGS}; do images+="${tag}@${DIGEST} " done - cosign sign --yes ${images} + cosign sign --yes -a author=JanssenProject From 9a8ccd4a4884b76c0fa38c03968a52e2ea4b26ab Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 29 Apr 2024 17:57:08 +0300 Subject: [PATCH 4/6] ci: add cosign private key Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --- .github/workflows/docker_build_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml index 0df8940a02f..fe98cf5f3c4 100644 --- a/.github/workflows/docker_build_image.yml +++ b/.github/workflows/docker_build_image.yml @@ -234,4 +234,4 @@ jobs: for tag in ${TAGS}; do images+="${tag}@${DIGEST} " done - cosign sign --yes -a author=JanssenProject + cosign sign --yes -a author=JanssenProject ${images} From 3912f1406ab0ff1d5c7a0fdfb0f557abda3a6439 Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 29 Apr 2024 18:06:05 +0300 Subject: [PATCH 5/6] ci: id-token write Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --- .github/workflows/docker_build_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml index fe98cf5f3c4..32c63b2b12b 100644 --- a/.github/workflows/docker_build_image.yml +++ b/.github/workflows/docker_build_image.yml @@ -48,6 +48,7 @@ jobs: docker: permissions: packages: write + id-token: write runs-on: ubuntu-latest strategy: max-parallel: 8 From 4a1e86c11558f76e573ba9a0aa11d37ca15d5c82 Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 29 Apr 2024 18:11:50 +0300 Subject: [PATCH 6/6] ci: remove private key and password Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --- .github/workflows/docker_build_image.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml index 32c63b2b12b..58eddd8e0d7 100644 --- a/.github/workflows/docker_build_image.yml +++ b/.github/workflows/docker_build_image.yml @@ -228,8 +228,6 @@ jobs: env: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.prep.outputs.tags }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | images="" for tag in ${TAGS}; do