From 43619f58f6a3e71925da4e1ec673864dd0b6668c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABl=20Goinvic?= Date: Wed, 3 Jan 2024 10:30:16 +0100 Subject: [PATCH 1/4] gaelg/add-cosign-signature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gaƫl Goinvic --- .github/workflows/docker.yml | 15 +++++++++++++++ changelog.d/16774.misc | 1 + 2 files changed, 16 insertions(+) create mode 100644 changelog.d/16774.misc diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 679b76440e..fca06eede2 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -29,6 +29,9 @@ jobs: - name: Inspect builder run: docker buildx inspect + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + - name: Checkout repository uses: actions/checkout@v4 @@ -68,6 +71,7 @@ jobs: type=pep440,pattern={{raw}} - name: Build and push all platforms + id: build-and-push uses: docker/build-push-action@v5 with: push: true @@ -82,3 +86,14 @@ jobs: # https://github.com/rust-lang/cargo/issues/10583 build-args: | CARGO_NET_GIT_FETCH_WITH_CLI=true + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.set-tag.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} diff --git a/changelog.d/16774.misc b/changelog.d/16774.misc new file mode 100644 index 0000000000..c5ad9bf68c --- /dev/null +++ b/changelog.d/16774.misc @@ -0,0 +1 @@ +Sign the published docker image using [cosign](https://docs.sigstore.dev/). \ No newline at end of file From bc14ec07b30671619bef33ca74ae90f274a1102d Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 3 Jan 2024 10:19:13 +0000 Subject: [PATCH 2/4] Enable docker image building temporarily for testing purposes --- .github/workflows/docker.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index fca06eede2..0a3945fb45 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,7 @@ on: tags: ["v*"] branches: [ master, main, develop ] workflow_dispatch: + pull_request: permissions: contents: read @@ -40,7 +41,7 @@ jobs: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell shell: bash run: | - echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV + echo "SYNAPSE_VERSION=0.0.0" >> $GITHUB_ENV - name: Log in to DockerHub uses: docker/login-action@v3 @@ -60,14 +61,11 @@ jobs: uses: docker/metadata-action@master with: images: | - docker.io/matrixdotorg/synapse ghcr.io/element-hq/synapse flavor: | latest=false tags: | - type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }} - type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} - type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + type=raw,value=test-cosign type=pep440,pattern={{raw}} - name: Build and push all platforms @@ -77,7 +75,6 @@ jobs: push: true labels: | gitsha1=${{ github.sha }} - org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }} tags: "${{ steps.set-tag.outputs.tags }}" file: "docker/Dockerfile" platforms: linux/amd64,linux/arm64 From 40e8a598a2ffdc5e9fe48ca30aff64e9c32a490b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABl=20Goinvic?= Date: Wed, 3 Jan 2024 13:02:14 +0100 Subject: [PATCH 3/4] add permission to use oidc token --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 0a3945fb45..b688d2fdef 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -12,7 +12,7 @@ on: permissions: contents: read packages: write - + id-token: write # needed for signing the images with GitHub OIDC Token jobs: build: runs-on: ubuntu-latest From 4e35d584916e08cc802d17cfca4cd5f1c435a51f Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 3 Jan 2024 13:40:04 +0000 Subject: [PATCH 4/4] Revert "Enable docker image building temporarily for testing purposes" This reverts commit bc14ec07b30671619bef33ca74ae90f274a1102d. --- .github/workflows/docker.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b688d2fdef..010bce863b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,7 +7,6 @@ on: tags: ["v*"] branches: [ master, main, develop ] workflow_dispatch: - pull_request: permissions: contents: read @@ -41,7 +40,7 @@ jobs: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell shell: bash run: | - echo "SYNAPSE_VERSION=0.0.0" >> $GITHUB_ENV + echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV - name: Log in to DockerHub uses: docker/login-action@v3 @@ -61,11 +60,14 @@ jobs: uses: docker/metadata-action@master with: images: | + docker.io/matrixdotorg/synapse ghcr.io/element-hq/synapse flavor: | latest=false tags: | - type=raw,value=test-cosign + type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }} + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} type=pep440,pattern={{raw}} - name: Build and push all platforms @@ -75,6 +77,7 @@ jobs: push: true labels: | gitsha1=${{ github.sha }} + org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }} tags: "${{ steps.set-tag.outputs.tags }}" file: "docker/Dockerfile" platforms: linux/amd64,linux/arm64