From fed662e74b89aa6ed34844a0a32caa2fd6f6b606 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Wed, 11 Sep 2024 11:34:05 +0200 Subject: [PATCH] BC-3751 sign images using cosign --- .github/workflows/push.yml | 30 ++++++++++++++++++++++++++++++ .github/workflows/tag.yml | 32 +++++++++++++++++++++++++++++++- 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 9859840..fbc0b52 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -37,6 +37,8 @@ jobs: tags: | type=ref,event=branch,enable=false,priority=600 type=sha,enable=true,priority=600,prefix= + type=sha,format=long + - name: Log into registry uses: docker/login-action@v3 with: @@ -49,6 +51,7 @@ jobs: echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV - name: Build and push ${{ github.repository }} + id: build_and_push if: ${{ env.IMAGE_EXISTS == 0 }} uses: docker/build-push-action@v5 with: @@ -60,6 +63,33 @@ jobs: tags: ghcr.io/${{ github.repository }}:${{ github.sha }} labels: ${{ steps.docker_meta_img.outputs.labels }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3.6.0 + + - name: Sign image with a key + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} + env: + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }} + DIGEST: ${{ steps.build_and_push.outputs.digest }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build_and_push.outputs.digest }} + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + branch_meta: runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 3ed6680..79b323e 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -22,7 +22,8 @@ jobs: images: docker.io/schulcloud/version-aggregator, quay.io/schulcloudverbund/version-aggregator tags: | type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}}.{{minor}} + type=sha,format=long - name: Log into docker registry uses: docker/login-action@v3 @@ -38,6 +39,7 @@ jobs: password: ${{ secrets.QUAY_TOKEN }} - name: Build and push ${{ github.repository }} + id: build_and_push uses: docker/build-push-action@v5 with: context: . @@ -47,3 +49,31 @@ jobs: pull: true tags: ${{ steps.docker_meta_img_hub.outputs.tags }} labels: ${{ steps.docker_meta_img_hub.outputs.labels }} + + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.6.0 + + - name: Sign image with a key + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} + env: + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }} + DIGEST: ${{ steps.build_and_push.outputs.digest }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build_and_push.outputs.digest }} + TAGS: ${{ steps.docker_meta_img.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} \ No newline at end of file