chore: encrypt gh actions secret outputs

Signed-off-by: Carlos Salas <carlos.salas@suse.com>
rancher · Oct 19, 2023 · a1fe525 · a1fe525
1 parent 7cb2be1
commit a1fe525
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 13 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,8 +4,6 @@ on:
   push:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
-env:
-  PROD_REGISTRY: registry.rancher.com/rancher
 
 permissions:
   contents: write # Allow to create a release.
@@ -31,6 +29,7 @@ jobs:
       REGISTRY: ghcr.io
       USERNAME: ${{ github.actor }}
       ORG: rancher-sandbox
+      GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -53,7 +52,7 @@ jobs:
     - name: Store list of ghcr images and digests
       id: ghcr-images
       run: |
-        ./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }}
+        ./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }} ${{ env.GPG_SIGN_PASSPHRASE }}
 
   ghcr-sign:
     runs-on: ubuntu-latest
@@ -82,6 +81,7 @@ jobs:
       REGISTRY: ghcr.io
       USERNAME: ${{ github.actor }}
       ORG: rancher-sandbox
+      GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
     steps:
       - name: Docker login to ghcr registry
         uses: docker/login-action@v3
@@ -94,15 +94,17 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes ${{ matrix.images.image }}
+          decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
+          cosign sign --yes ${decrypted_image}
       - name: Verify pushed ghcr images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
+          cosign verify ${decrypted_image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 
   ghcr-provenance:
-    needs: [build-ghcr, ghcr-sign]
+    needs: [ghcr-sign]
     permissions:
       actions: read 
       id-token: write
@@ -151,9 +153,11 @@ jobs:
       s390x_digest: ${{ steps.prod-images.outputs.s390x_digest }}
     env:
       TAG: ${{ github.ref_name }}
+      PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
       PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
       PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
       PROD_ORG: rancher-sandbox
+      GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -176,7 +180,7 @@ jobs:
     - name: Store list of prod images and digests
       id: prod-images
       run: |
-        ./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }}
+        ./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }} ${{ env.GPG_SIGN_PASSPHRASE }}
 
   prod-sign:
     runs-on: ubuntu-latest
@@ -202,8 +206,10 @@ jobs:
         ]
     env:
       TAG: ${{ github.ref_name }}
+      PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
       PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
       PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+      GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }}
     steps:
       - name: Docker login to prod registry
         uses: docker/login-action@v3
@@ -216,15 +222,17 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes ${{ matrix.images.image }}
+          decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
+          cosign sign --yes ${decrypted_image}
       - name: Verify pushed ghcr images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode))
+          cosign verify ${decrypted_image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 
   prod-provenance:
-    needs: [build-prod, prod-sign]
+    needs: [prod-sign]
     permissions:
       actions: read
       id-token: write
@@ -263,6 +271,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       TAG: ${{ github.ref_name }}
+      PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
       PROD_ORG: rancher-sandbox
       RELEASE_DIR: .cr-release-packages
       CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/scripts/image-digest.sh b/scripts/image-digest.sh
@@ -2,6 +2,7 @@
 
 # Run your command and capture its output
 output=$(make docker-list-all REGISTRY="$1" ORG="$2" TAG="$3")
+PASSPHRASE="$4"
 
 # Use a for loop to iterate over each line
 IFS=$'\n'       # Set the Internal Field Separator to newline
@@ -14,9 +15,14 @@ for line in $output; do
   # Run the Docker command and get the digest
   digest=$(docker buildx imagetools inspect "$line" --format '{{json .}}' | jq -r .manifest.digest)
 
-  # Add image name and digest to the output
-  echo "${githubimageoutput[$line_count]}=$line" >> "$GITHUB_OUTPUT"
-  echo "${githubdigestoutput[$line_count]}=$digest" >> "$GITHUB_OUTPUT"
+  # Add encrypted image name to the output
+  image_output="$line"
+  encrypted_image=$(gpg --symmetric --batch --passphrase ${PASSPHRASE} --output - <(echo ${image_output}) | base64 -w0)
+  echo "${githubimageoutput[$line_count]}=${encrypted_image}" >> "$GITHUB_OUTPUT"
+  # Add encrypted digest to the output
+  digest_output="$digest"
+  encrypted_digest=$(gpg --symmetric --batch --passphrase ${PASSPHRASE} --output - <(echo ${digest_output}) | base64 -w0)
+  echo "${githubdigestoutput[$line_count]}=${encrypted_digest}" >> "$GITHUB_OUTPUT"
 
   # Increment the line counter
   line_count=$((line_count + 1))