Skip to content

Commit

Permalink
BC-3751 sign images using cosign (#22)
Browse files Browse the repository at this point in the history
  • Loading branch information
Loki-Afro authored Sep 16, 2024
1 parent f9b2095 commit ced7a42
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 5 deletions.
20 changes: 19 additions & 1 deletion .github/workflows/push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ jobs:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch,enable=false,priority=600
type=sha,enable=true,priority=600,prefix=
type=sha,enable=true,priority=600,prefix=,format=long
- name: Log into registry
uses: docker/login-action@v3
with:
Expand All @@ -49,6 +50,7 @@ jobs:
echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
- name: Build and push ${{ github.repository }}
id: build_and_push
if: ${{ env.IMAGE_EXISTS == 0 }}
uses: docker/build-push-action@v5
with:
Expand All @@ -60,6 +62,22 @@ jobs:
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
labels: ${{ steps.docker_meta_img.outputs.labels }}

- name: Install Cosign
uses: sigstore/cosign-installer@v3.6.0

- name: Sign image with a key
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
env:
TAGS: ${{ steps.docker_meta_img.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
DIGEST: ${{ steps.build_and_push.outputs.digest }}

branch_meta:
runs-on: ubuntu-latest
outputs:
Expand Down
26 changes: 22 additions & 4 deletions .github/workflows/tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Docker meta Service Name for docker hub
id: docker_meta_img_hub
id: docker_meta_img
uses: docker/metadata-action@v5
with:
images: docker.io/schulcloud/version-aggregator, quay.io/schulcloudverbund/version-aggregator
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}.{{minor}}
- name: Log into docker registry
uses: docker/login-action@v3
Expand All @@ -38,12 +38,30 @@ jobs:
password: ${{ secrets.QUAY_TOKEN }}

- name: Build and push ${{ github.repository }}
id: build_and_push
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
pull: true
tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
tags: ${{ steps.docker_meta_img.outputs.tags }}
labels: ${{ steps.docker_meta_img.outputs.labels }}


- name: Install Cosign
uses: sigstore/cosign-installer@v3.6.0

- name: Sign image with a key
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
env:
TAGS: ${{ steps.docker_meta_img.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
DIGEST: ${{ steps.build_and_push.outputs.digest }}

0 comments on commit ced7a42

Please sign in to comment.