BC-3751 sign images using cosign

hpi-schul-cloud · Sep 11, 2024 · fed662e · fed662e
1 parent f9b2095
commit fed662e
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 1 deletion.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -37,6 +37,8 @@ jobs:
           tags: |
             type=ref,event=branch,enable=false,priority=600
             type=sha,enable=true,priority=600,prefix=
+            type=sha,format=long
+
       - name: Log into registry
         uses: docker/login-action@v3
         with:
@@ -49,6 +51,7 @@ jobs:
          echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
 
       - name: Build and push ${{ github.repository }}
+        id: build_and_push
         if: ${{ env.IMAGE_EXISTS == 0 }}
         uses: docker/build-push-action@v5
         with:
@@ -60,6 +63,33 @@ jobs:
           tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
           labels: ${{ steps.docker_meta_img.outputs.labels }}
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Sign image with a key
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
+        env:
+          TAGS: ${{ steps.docker_meta_img.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta_img.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
   branch_meta:
     runs-on: ubuntu-latest
     outputs:

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -22,7 +22,8 @@ jobs:
           images: docker.io/schulcloud/version-aggregator, quay.io/schulcloudverbund/version-aggregator
           tags: |
             type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}            
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,format=long
 
       - name: Log into docker registry
         uses: docker/login-action@v3
@@ -38,6 +39,7 @@ jobs:
           password: ${{ secrets.QUAY_TOKEN }}
 
       - name: Build and push ${{ github.repository }}
+        id: build_and_push
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -47,3 +49,31 @@ jobs:
           pull: true
           tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
           labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
+
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Sign image with a key
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
+        env:
+          TAGS: ${{ steps.docker_meta_img.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta_img.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}