diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9c32b3480..43ad72a1b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,8 +4,6 @@ on: push: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 -env: - PROD_REGISTRY: registry.rancher.com/rancher permissions: contents: write # Allow to create a release. @@ -31,6 +29,7 @@ jobs: REGISTRY: ghcr.io USERNAME: ${{ github.actor }} ORG: rancher-sandbox + GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }} steps: - name: Checkout uses: actions/checkout@v4 @@ -53,7 +52,7 @@ jobs: - name: Store list of ghcr images and digests id: ghcr-images run: | - ./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }} + ./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }} ${{ env.GPG_SIGN_PASSPHRASE }} ghcr-sign: runs-on: ubuntu-latest @@ -82,6 +81,7 @@ jobs: REGISTRY: ghcr.io USERNAME: ${{ github.actor }} ORG: rancher-sandbox + GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }} steps: - name: Docker login to ghcr registry uses: docker/login-action@v3 @@ -94,15 +94,17 @@ jobs: env: COSIGN_EXPERIMENTAL: 1 run: | - cosign sign --yes ${{ matrix.images.image }} + decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode)) + cosign sign --yes ${decrypted_image} - name: Verify pushed ghcr images env: COSIGN_EXPERIMENTAL: 1 run: | - cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode)) + cosign verify ${decrypted_image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com ghcr-provenance: - needs: [build-ghcr, ghcr-sign] + needs: [ghcr-sign] permissions: actions: read id-token: write @@ -151,9 +153,11 @@ jobs: s390x_digest: ${{ steps.prod-images.outputs.s390x_digest }} env: TAG: ${{ github.ref_name }} + PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }} PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }} PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} PROD_ORG: rancher-sandbox + GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }} steps: - name: Checkout uses: actions/checkout@v4 @@ -176,7 +180,7 @@ jobs: - name: Store list of prod images and digests id: prod-images run: | - ./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }} + ./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }} ${{ env.GPG_SIGN_PASSPHRASE }} prod-sign: runs-on: ubuntu-latest @@ -202,8 +206,10 @@ jobs: ] env: TAG: ${{ github.ref_name }} + PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }} PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }} PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + GPG_SIGN_PASSPHRASE: ${{ secrets.GPG_SIGN_PASSPHRASE }} steps: - name: Docker login to prod registry uses: docker/login-action@v3 @@ -216,15 +222,17 @@ jobs: env: COSIGN_EXPERIMENTAL: 1 run: | - cosign sign --yes ${{ matrix.images.image }} + decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode)) + cosign sign --yes ${decrypted_image} - name: Verify pushed ghcr images env: COSIGN_EXPERIMENTAL: 1 run: | - cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + decrypted_image=$(gpg --decrypt --quiet --batch --passphrase ${{ env.GPG_SIGN_PASSPHRASE }} --output - <(echo ${{ matrix.images.image }} | base64 --decode)) + cosign verify ${decrypted_image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com prod-provenance: - needs: [build-prod, prod-sign] + needs: [prod-sign] permissions: actions: read id-token: write @@ -263,6 +271,7 @@ jobs: runs-on: ubuntu-latest env: TAG: ${{ github.ref_name }} + PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }} PROD_ORG: rancher-sandbox RELEASE_DIR: .cr-release-packages CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/scripts/image-digest.sh b/scripts/image-digest.sh index 905c0aa66..e32d1ccda 100755 --- a/scripts/image-digest.sh +++ b/scripts/image-digest.sh @@ -2,6 +2,7 @@ # Run your command and capture its output output=$(make docker-list-all REGISTRY="$1" ORG="$2" TAG="$3") +PASSPHRASE="$4" # Use a for loop to iterate over each line IFS=$'\n' # Set the Internal Field Separator to newline @@ -14,9 +15,14 @@ for line in $output; do # Run the Docker command and get the digest digest=$(docker buildx imagetools inspect "$line" --format '{{json .}}' | jq -r .manifest.digest) - # Add image name and digest to the output - echo "${githubimageoutput[$line_count]}=$line" >> "$GITHUB_OUTPUT" - echo "${githubdigestoutput[$line_count]}=$digest" >> "$GITHUB_OUTPUT" + # Add encrypted image name to the output + image_output="$line" + encrypted_image=$(gpg --symmetric --batch --passphrase ${PASSPHRASE} --output - <(echo ${image_output}) | base64 -w0) + echo "${githubimageoutput[$line_count]}=${encrypted_image}" >> "$GITHUB_OUTPUT" + # Add encrypted digest to the output + digest_output="$digest" + encrypted_digest=$(gpg --symmetric --batch --passphrase ${PASSPHRASE} --output - <(echo ${digest_output}) | base64 -w0) + echo "${githubdigestoutput[$line_count]}=${encrypted_digest}" >> "$GITHUB_OUTPUT" # Increment the line counter line_count=$((line_count + 1))