🐛 Fix issuer value for signature verification (#251)

* Fix issuer value for signature verification Signed-off-by: Danil Grigorev <danil.grigorev@suse.com> * Add multiarch job Signed-off-by: Danil Grigorev <danil.grigorev@suse.com> --------- Signed-off-by: Danil Grigorev <danil.grigorev@suse.com>
rancher · Nov 15, 2023 · fabfc89 · fabfc89
1 parent 5227075
commit fabfc89
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml
@@ -85,7 +85,7 @@ jobs:
         with:
           image: ${{ format('{0}-{1}', vars[inputs.image], inputs.arch) }}
           digest: ${{ needs.build.outputs.digest }}
-          identity: https://github.com/${{ inputs.org }}/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ inputs.tag }}
+          identity: https://github.com/${{ inputs.org }}/rancher-turtles/.github/workflows/release-workflow.yml@refs/tags/${{ inputs.tag }}
           oids-issuer: https://token.actions.githubusercontent.com
           registry: ${{ inputs.secret_registry && secrets[inputs.registry] || inputs.registry }}
           username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -43,6 +43,43 @@ jobs:
       secret_registry: ${{ matrix.secret_registry }}
     secrets: inherit
 
+  multiarch:
+    name: Publish multiarch image
+    needs: [build-push-services]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    strategy:
+      matrix:
+        destination: [ghcr, prod]
+        include:
+        - destination: ghcr
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: GITHUB_TOKEN
+          image: GHCR_IMAGE
+          secret_registry: false
+        - destination: prod
+          registry: REGISTRY_ENDPOINT
+          username: REGISTRY_USERNAME
+          password: REGISTRY_PASSWORD
+          image: REGISTRY_IMAGE
+          secret_registry: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Docker login
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ matrix.secret_registry && secrets[matrix.registry] || matrix.registry }}
+          username: ${{ matrix.secret_registry && secrets[matrix.username] || matrix.username }}
+          password: ${{ secrets[matrix.password] }}
+      - name: Publish multiarch
+        run: CONTROLLER_IMG=${{ vars[matrix.image] }} TAG=${{ github.ref_name }} make docker-push-manifest-rancher-turtles
+
   release:
     name: Create helm release
     needs: [build-push-services]

diff --git a/.github/workflows/release_sign/action.yaml b/.github/workflows/release_sign/action.yaml
@@ -55,4 +55,4 @@ runs:
       env:
         COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign verify ${{ inputs.image }}@${{ inputs.digest }} --certificate-identity={{ inputs.identity }} --certificate-oidc-issuer=${{ inputs.oids-issuer }}
+        cosign verify ${{ inputs.image }}@${{ inputs.digest }} --certificate-identity=${{ inputs.identity }} --certificate-oidc-issuer=${{ inputs.oids-issuer }}