From 24b7f18b16af92eb6e2ee2391962ce7079a34bf4 Mon Sep 17 00:00:00 2001 From: Christoph Voigt Date: Thu, 28 Sep 2023 14:31:33 +0200 Subject: [PATCH] add cosign --- .github/workflows/docker-build-push.yml | 79 +++++++++++++++++++++---- 1 file changed, 66 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index efecf31..823f735 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -14,22 +14,35 @@ env: jobs: buildx: runs-on: ubuntu-latest + permissions: + # cosign uses the GitHub OIDC token + id-token: write + # needed to upload artifacts to a GH release + contents: write + packages: write + repository-projects: write steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: fetch-depth: 0 - - + - # Set up QEMU name: Set up QEMU uses: docker/setup-qemu-action@v1 - - + - # Setup Docker buildx name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 - - - name: Log in to the Container registry - uses: docker/login-action@v1 + uses: docker/setup-buildx-action@v2 + - # Install cosign + name: Install Cosign + uses: sigstore/cosign-installer@v3.0.1 + with: + cosign-release: v2.2.0 + - # Login into registry + name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -37,21 +50,61 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v5 + id: build-tagged with: - context: . - push: true + push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - file: Dockerfile labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile cache-from: type=gha cache-to: type=gha,mode=max + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + ${{ steps.meta.outputs.tags }} + - + name: Sign the image with GitHub OIDC token + shell: bash + run: | + cosign sign \ + --yes \ + --output-certificate crt.pem \ + --output-signature kwasm.sig \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }}@${{ steps.build-tagged.outputs.digest }} + - + name: prepare assets for upload + if: runner.os != 'Windows' + shell: bash + run: | + mkdir _dist + cat < verify.txt + cosign verify \\ + --signature kwasm.sig --certificate crt.pem \\ + --certificate-identity https://github.com/${{ github.workflow_ref }} \\ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \\ + --certificate-github-workflow-sha ${{ github.workflow_sha }} \\ + --certificate-github-workflow-repository voigt/kwasm-operator \\ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }}@${{ steps.build-tagged.outputs.digest }} + EOF + cp crt.pem kwasm.sig verify.txt _dist/ + - + name: upload binary as GitHub artifact + if: runner.os != 'Windows' + uses: actions/upload-artifact@v3 + with: + name: kwasm + path: _dist/ - name: Configure Git run: |