add cosign

voigt · Sep 28, 2023 · 24b7f18 · 24b7f18
1 parent a4e07d9
commit 24b7f18
Showing 1 changed file with 66 additions and 13 deletions.
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
@@ -14,44 +14,97 @@ env:
 jobs:
   buildx:
     runs-on: ubuntu-latest
+    permissions:
+      # cosign uses the GitHub OIDC token
+      id-token: write
+      # needed to upload artifacts to a GH release
+      contents: write
+      packages: write
+      repository-projects: write
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      -
+      - # Set up QEMU
         name: Set up QEMU
         uses: docker/setup-qemu-action@v1
-      -
+      - # Setup Docker buildx
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
-      - 
-        name: Log in to the Container registry
-        uses: docker/login-action@v1
+        uses: docker/setup-buildx-action@v2
+      - # Install cosign
+        name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: v2.2.0
+      - # Login into registry
+        name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - 
         name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
       - 
         name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
+        id: build-tagged
         with:
-          context: .
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          file: Dockerfile
           labels: ${{ steps.meta.outputs.labels }}
+          file: Dockerfile
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+            ${{ steps.meta.outputs.tags }}
+      - 
+        name: Sign the image with GitHub OIDC token
+        shell: bash
+        run: |
+          cosign sign \
+            --yes \
+            --output-certificate crt.pem \
+            --output-signature kwasm.sig \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }}@${{ steps.build-tagged.outputs.digest }}
+      -
+        name: prepare assets for upload
+        if: runner.os != 'Windows'
+        shell: bash
+        run: |
+          mkdir _dist
+          cat <<EOF > verify.txt
+          cosign verify \\
+              --signature kwasm.sig --certificate crt.pem \\
+              --certificate-identity https://github.com/${{ github.workflow_ref }} \\
+              --certificate-oidc-issuer https://token.actions.githubusercontent.com \\
+              --certificate-github-workflow-sha ${{ github.workflow_sha }} \\
+              --certificate-github-workflow-repository voigt/kwasm-operator \\
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }}@${{ steps.build-tagged.outputs.digest }}
+          EOF
+          cp crt.pem kwasm.sig verify.txt _dist/
+      -
+        name: upload binary as GitHub artifact
+        if: runner.os != 'Windows'
+        uses: actions/upload-artifact@v3
+        with:
+          name: kwasm
+          path: _dist/
       - 
         name: Configure Git
         run: |