manually triggered workflow to create and sign a manifest, in case we…

… need it

.github/workflows/manual_create_sign_manifest.yml

@@ -0,0 +1,59 @@
+name: manual manifest and sign
+# This will create a manifest $manifest_version using the built $version-arch tags
+on: 
+    workflow_dispatch:
+      inputs:
+        manifest_version:
+          required: true
+          description: 'version that people will be able to docker pull'
+        root_version:
+          required: true
+          description: 'tokendito version M.N.x'
+env:
+    REGISTRY: docker.io
+    REGISTRY_IMAGE: tokendito/tokendito
+
+jobs:
+    create_and_sign:
+        runs-on: ubuntu-latest
+        steps :
+        -
+            name: Login to Docker Hub
+            uses: docker/login-action@v2
+            with:
+                username: jpsevigny
+                password: ${{ secrets.DOCKERHUB_TOKEN }}
+        -
+            name: create files for signing
+            run: | 
+                mkdir -p ~/.docker/trust/private
+                echo "${DOCKER_PRIVATE_KEY}" > ~/.docker/trust/private/${DOCKER_PRIVATE_KEY_ID}.key
+                chmod 0600 ~/.docker/trust/private/${DOCKER_PRIVATE_KEY_ID}.key
+                docker trust key load ~/.docker/trust/private/${DOCKER_PRIVATE_KEY_ID}.key --name "${DOCKER_PRIVATE_KEY_ID}" 
+            env: 
+                DOCKER_PRIVATE_KEY_ID: "${{ secrets.DOCKER_PRIVATE_KEY_ID }}"
+                DOCKER_PRIVATE_KEY: "${{ secrets.DOCKER_PRIVATE_KEY }}"
+                DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: "${{ secrets.DOCKER_PRIVATE_KEY_PASSPHRASE }}"
+        -
+            name: create manifest and push it
+            # create and sign "$version" manifest
+            run: | 
+              DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create ${{ env.REGISTRY_IMAGE }}:${{ github.event.inputs.manifest_version }} --amend ${{env.REGISTRY_IMAGE}}:${{ github.event.inputs.root_version }}-amd64 --amend ${{env.REGISTRY_IMAGE}}:${{github.event.inputs.root_version}}-arm64
+              docker manifest push ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}
+              docker pull ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}
+              docker trust sign ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}
+              docker manifest push ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}
+            env: 
+              DOCKER_CONTENT_TRUST: 0
+              DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: "${{ secrets.DOCKER_PRIVATE_KEY_PASSPHRASE }}"
+        - 
+            name: Verify signatures
+            run: |
+              docker trust inspect --pretty ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}
+        -
+            name: verify that secure download works
+            run: |
+               docker pull ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}
+               docker run ${{ env.REGISTRY_IMAGE }}:${{github.event.inputs.manifest_version}}  --version         
+            env:
+                DOCKER_CONTENT_TRUST: 1