From 6d0b06f52f82728b7fe0e27e1d11aedadad093ab Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Wed, 11 Sep 2024 11:34:05 +0200 Subject: [PATCH] BC-3751 sign images using cosign --- .github/workflows/push.yml | 30 ++++++++++++++++++++++++++++++ .github/workflows/tag.yml | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 9859840..fbc0b52 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -37,6 +37,8 @@ jobs: tags: | type=ref,event=branch,enable=false,priority=600 type=sha,enable=true,priority=600,prefix= + type=sha,format=long + - name: Log into registry uses: docker/login-action@v3 with: @@ -49,6 +51,7 @@ jobs: echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV - name: Build and push ${{ github.repository }} + id: build_and_push if: ${{ env.IMAGE_EXISTS == 0 }} uses: docker/build-push-action@v5 with: @@ -60,6 +63,33 @@ jobs: tags: ghcr.io/${{ github.repository }}:${{ github.sha }} labels: ${{ steps.docker_meta_img.outputs.labels }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3.6.0 + + - name: Sign image with a key + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} + env: + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }} + DIGEST: ${{ steps.build_and_push.outputs.digest }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build_and_push.outputs.digest }} + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + branch_meta: runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 3ed6680..3a8512f 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -16,13 +16,14 @@ jobs: steps: - uses: actions/checkout@v4 - name: Docker meta Service Name for docker hub - id: docker_meta_img_hub + id: docker_meta_img uses: docker/metadata-action@v5 with: images: docker.io/schulcloud/version-aggregator, quay.io/schulcloudverbund/version-aggregator tags: | type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}}.{{minor}} + type=sha,format=long - name: Log into docker registry uses: docker/login-action@v3 @@ -38,6 +39,7 @@ jobs: password: ${{ secrets.QUAY_TOKEN }} - name: Build and push ${{ github.repository }} + id: build_and_push uses: docker/build-push-action@v5 with: context: . @@ -47,3 +49,31 @@ jobs: pull: true tags: ${{ steps.docker_meta_img_hub.outputs.tags }} labels: ${{ steps.docker_meta_img_hub.outputs.labels }} + + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.6.0 + + - name: Sign image with a key + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} + env: + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }} + DIGEST: ${{ steps.build_and_push.outputs.digest }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build_and_push.outputs.digest }} + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} \ No newline at end of file