From 8d8879262d12bd203679a2d7bcd497fd6635700e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Fri, 11 Oct 2024 14:19:27 +0200 Subject: [PATCH] ci: Sign image on container--image workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: VĂ­ctor Cuadrado Juan --- .github/workflows/container-build.yml | 9 ------- .github/workflows/container-image.yml | 12 +++++++++ .github/workflows/sign-image.yml | 37 --------------------------- 3 files changed, 12 insertions(+), 46 deletions(-) delete mode 100644 .github/workflows/sign-image.yml diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index 20e10615..69a93952 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -20,15 +20,6 @@ jobs: with: push-image: true - sign: - needs: build - uses: ./.github/workflows/sign-image.yml - permissions: - packages: write - id-token: write - with: - image-digest: ${{ needs.build.outputs.digest }} - sbom: needs: build uses: ./.github/workflows/attestation.yml diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml index 047daf7b..0844f4ed 100644 --- a/.github/workflows/container-image.yml +++ b/.github/workflows/container-image.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Install cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx @@ -69,6 +71,16 @@ jobs: provenance: mode=max tags: | ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }} + - name: Sign container image + run: | + cosign sign --yes \ + ghcr.io/${{github.repository_owner}}/kubewarden-controller:@${{ steps.build-image.outputs.digest }} + + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/container-image.yml:${{ github.ref }}" \ + ghcr.io/${{github.repository_owner}}/kubewarden-controller:@${{ steps.build-image.outputs.digest }} + - # Only build amd64 because buildx does not allow multiple platforms when # exporting the image to a tarball. As we use this only for end-to-end tests # and they run on amd64 arch, let's skip the arm64 build for now. diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml deleted file mode 100644 index 1c8bfdb9..00000000 --- a/.github/workflows/sign-image.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: Sign image - -on: - workflow_call: - inputs: - image-digest: - type: string - required: true - -jobs: - sign: - name: Sign image - permissions: - packages: write - id-token: write - - runs-on: ubuntu-latest - steps: - - name: Install cosign - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Sign container image - run: | - cosign sign --yes \ - ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ inputs.image-digest }} - - cosign verify \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/sign-image.yml@${{ github.ref }}" \ - ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ inputs.image-digest }}