Skip to content

Commit

Permalink
ci(release): add oci artifact signature with cosign
Browse files Browse the repository at this point in the history
Signed-off-by: Massimiliano Giovagnoli <[email protected]>
  • Loading branch information
maxgio92 committed May 25, 2023
1 parent f773578 commit f5d7a5c
Showing 1 changed file with 27 additions and 18 deletions.
45 changes: 27 additions & 18 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,50 +9,59 @@ on:
jobs:
release-rulesfile:
runs-on: ubuntu-latest
env:
AWS_S3_BUCKET: falco-distribution
AWS_S3_PREFIX: rules
AWS_S3_REGION: eu-west-1

# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
id-token: write
contents: read
packages: write

env:
RULES_FILE: falco_rules.yaml

OCI_REGISTRY: ghcr.io
ARTIFACT_NAME: falco-rules

steps:

# Get rules repository
- name: Checkout Rules
uses: actions/checkout@v3

# Get registry artifact tool
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '^1.19'

go-version-file: build/registry/go.mod
- name: Build registry artifact tool
working-directory: build/registry
run: go build -o rules-registry ./...

- name: Get lowercase OCI repo prefix
run: |
echo "OCI_REPO_PREFIX=ghcr.io/${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: Upload OCI artifacts to GitHub packages
id: oci_build
env:
REGISTRY_USER: ${{ github.repository_owner }}
REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git

# uses OCI_REPO_PREFIX environment variable
run: build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
run: >-
echo "::set-output name=ARTIFACT_DIGEST::$(
build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
)"
- run: "echo ${{ steps.oci_build.outputs.ARTIFACT_DIGEST }}"

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
# Create a signature of the rules artifact as OCI artifact
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
role-to-assume: "arn:aws:iam::292999226676:role/terraform-20230120142903096000000002"
aws-region: ${{ env.AWS_S3_REGION }}

- name: Upload files to S3
cosign-release: 'v2.0.2'
- run: cosign version
- name: Sign the images with GitHub OIDC Token
env:
# Add support for OCI v1.1
COSIGN_EXPERIMENTAL: 1
run: cosign sign --yes ${OCI_REGISTRY}/${{ github.repository }}/${ARTIFACT_NAME}@${{ steps.oci_build.outputs.ARTIFACT_DIGEST }}

# uses AWS_S3_BUCKET, AWS_S3_PREFIX, AWS_S3_REGION environment variables
run: build/registry/rules-registry upload-to-s3 registry.yaml ${{ github.ref_name }}

0 comments on commit f5d7a5c

Please sign in to comment.