Skip to content

Commit

Permalink
chore: encrypt gh actions secret outputs
Browse files Browse the repository at this point in the history
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
  • Loading branch information
salasberryfin committed Oct 20, 2023
1 parent 7cb2be1 commit 1dbf677
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 16 deletions.
36 changes: 23 additions & 13 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ on:
push:
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
env:
PROD_REGISTRY: registry.rancher.com/rancher

permissions:
contents: write # Allow to create a release.
Expand All @@ -30,7 +28,8 @@ jobs:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
ORG: rancher-sandbox
ORG: ${{ secrets.RANCHER_ORG }}
GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -53,7 +52,7 @@ jobs:
- name: Store list of ghcr images and digests
id: ghcr-images
run: |
./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }}
./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }} ${{ env.GPG_SIGN_PASSPHRASE }}
ghcr-sign:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -81,7 +80,8 @@ jobs:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
ORG: rancher-sandbox
ORG: ${{ secrets.RANCHER_ORG }}
GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
steps:
- name: Docker login to ghcr registry
uses: docker/login-action@v3
Expand All @@ -94,15 +94,18 @@ jobs:
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ matrix.images.image }}
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign sign --yes ${image}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
#decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
#cosign verify ${decrypted_image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
ghcr-provenance:
needs: [build-ghcr, ghcr-sign]
needs: [ghcr-sign]
permissions:
actions: read
id-token: write
Expand Down Expand Up @@ -151,9 +154,11 @@ jobs:
s390x_digest: ${{ steps.prod-images.outputs.s390x_digest }}
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
PROD_ORG: rancher-sandbox
PROD_ORG: ${{ secrets.RANCHER_ORG }}
GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -176,7 +181,7 @@ jobs:
- name: Store list of prod images and digests
id: prod-images
run: |
./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }}
./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }} ${{ env.GPG_SIGN_PASSPHRASE }}
prod-sign:
runs-on: ubuntu-latest
Expand All @@ -202,8 +207,10 @@ jobs:
]
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
steps:
- name: Docker login to prod registry
uses: docker/login-action@v3
Expand All @@ -216,15 +223,17 @@ jobs:
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ matrix.images.image }}
decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
cosign sign --yes ${decrypted_image}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
cosign verify ${decrypted_image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
prod-provenance:
needs: [build-prod, prod-sign]
needs: [prod-sign]
permissions:
actions: read
id-token: write
Expand Down Expand Up @@ -263,7 +272,8 @@ jobs:
runs-on: ubuntu-latest
env:
TAG: ${{ github.ref_name }}
PROD_ORG: rancher-sandbox
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_ORG: ${{ secrets.RANCHER_ORG }}
RELEASE_DIR: .cr-release-packages
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
Expand Down
15 changes: 12 additions & 3 deletions scripts/image-digest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

# Run your command and capture its output
output=$(make docker-list-all REGISTRY="$1" ORG="$2" TAG="$3")
PASSPHRASE="$4"

# Use a for loop to iterate over each line
IFS=$'\n' # Set the Internal Field Separator to newline
Expand All @@ -14,9 +15,17 @@ for line in $output; do
# Run the Docker command and get the digest
digest=$(docker buildx imagetools inspect "$line" --format '{{json .}}' | jq -r .manifest.digest)

# Add image name and digest to the output
echo "${githubimageoutput[$line_count]}=$line" >> "$GITHUB_OUTPUT"
echo "${githubdigestoutput[$line_count]}=$digest" >> "$GITHUB_OUTPUT"
# Add encrypted image name to the output
#image_output="$line"
image_output=$(echo -n "$line" | base64 -w0 | base64 -w0)
#encrypted_image=$(gpg --symmetric --batch --passphrase ${PASSPHRASE} --output - <(echo ${image_output}) | base64 -w0)
#echo "${githubimageoutput[$line_count]}=${encrypted_image}" >> "$GITHUB_OUTPUT"
echo "${githubimageoutput[$line_count]}=${image_output}" >> "$GITHUB_OUTPUT"
# Add encrypted digest to the output
digest_output="$digest"
#encrypted_digest=$(gpg --symmetric --batch --passphrase ${PASSPHRASE} --output - <(echo ${digest_output}) | base64 -w0)
#echo "${githubdigestoutput[$line_count]}=${encrypted_digest}" >> "$GITHUB_OUTPUT"
echo "${githubdigestoutput[$line_count]}=${digest_output}" >> "$GITHUB_OUTPUT"

# Increment the line counter
line_count=$((line_count + 1))
Expand Down

0 comments on commit 1dbf677

Please sign in to comment.