From 9ee3db1de5caa83773be8b802438dab4ccc0abb7 Mon Sep 17 00:00:00 2001 From: Gaël Goinvic <97093369+gaelgatelement@users.noreply.github.com> Date: Thu, 4 Jan 2024 12:49:33 +0100 Subject: Implement cosign on docker image (#16774) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gaël Goinvic --- .github/workflows/docker.yml | 17 ++++++++++++++++- changelog.d/16774.misc | 1 + 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 changelog.d/16774.misc diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 679b76440e..010bce863b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,7 +11,7 @@ on: permissions: contents: read packages: write - + id-token: write # needed for signing the images with GitHub OIDC Token jobs: build: runs-on: ubuntu-latest @@ -29,6 +29,9 @@ jobs: - name: Inspect builder run: docker buildx inspect + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + - name: Checkout repository uses: actions/checkout@v4 @@ -68,6 +71,7 @@ jobs: type=pep440,pattern={{raw}} - name: Build and push all platforms + id: build-and-push uses: docker/build-push-action@v5 with: push: true @@ -82,3 +86,14 @@ jobs: # https://github.com/rust-lang/cargo/issues/10583 build-args: | CARGO_NET_GIT_FETCH_WITH_CLI=true + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.set-tag.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} diff --git a/changelog.d/16774.misc b/changelog.d/16774.misc new file mode 100644 index 0000000000..c5ad9bf68c --- /dev/null +++ b/changelog.d/16774.misc @@ -0,0 +1 @@ +Sign the published docker image using [cosign](https://docs.sigstore.dev/). \ No newline at end of file -- cgit 1.4.1