Skip to content

Commit

Permalink
add cosign for image signing
Browse files Browse the repository at this point in the history
  • Loading branch information
@voigt @0xE282B0
voigt authored and 0xE282B0 committed Oct 13, 2023
1 parent 58b73f0 commit 57bae1b
Showing 1 changed file with 67 additions and 19 deletions.
86 changes: 67 additions & 19 deletions .github/workflows/docker-build-push.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,55 +14,103 @@ env:
jobs:
buildx:
runs-on: ubuntu-latest
permissions:
# cosign uses the GitHub OIDC token
id-token: write
# needed to upload artifacts to a GH release
contents: write
packages: write
repository-projects: write
steps:
-
- # Checkout Repository
name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
fetch-depth: 0
-
- # Set up QEMU
name: Set up QEMU
uses: docker/setup-qemu-action@v1
-
- # Setup Docker buildx
name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
-
name: Log in to the Container registry
uses: docker/login-action@v1
uses: docker/setup-buildx-action@v2
- # Install cosign
name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: v2.2.0
- # Login into registry
name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
- # Extract Docker metadata
name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- # Build and push to GHCR Registry
name: Build and push Docker image
uses: docker/build-push-action@v2
uses: docker/build-push-action@v5
id: build-tagged
with:
context: .
push: true
push: ${{ github.event_name != 'pull_request' }}
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
file: Dockerfile
labels: ${{ steps.meta.outputs.labels }}
file: Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
-
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
${{ steps.meta.outputs.tags }}
- # Keyless signing of Image with Cosign
name: Sign the image with GitHub OIDC token
shell: bash
run: |
cosign sign \
--yes \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }}
- # Prepare verification assets
name: Prepare assets for upload
if: runner.os != 'Windows'
shell: bash
run: |
mkdir _dist
cat <<EOF > verify.txt
cosign verify \\
--certificate-identity https://github.com/${{ github.workflow_ref }} \\
--certificate-oidc-issuer https://token.actions.githubusercontent.com \\
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }}
EOF
cp verify.txt _dist/
- # Upload verification assets
name: upload binary as GitHub artifact
if: runner.os != 'Windows'
uses: actions/upload-artifact@v3
with:
name: kwasm
path: _dist/
- # Configure Git
name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
-
- # Install Helm
name: Install Helm
uses: azure/setup-helm@v3
with:
version: v3.10.0
-
- # Run chart-releaser
name: Run chart-releaser
if: github.ref == 'refs/heads/main'
uses: helm/[email protected]
Expand Down

0 comments on commit 57bae1b

Please sign in to comment.