diff --git a/.github/workflows/build_canary.yml b/.github/workflows/build_canary.yml index 621b7699..8cd39deb 100644 --- a/.github/workflows/build_canary.yml +++ b/.github/workflows/build_canary.yml @@ -8,6 +8,11 @@ on: jobs: build: runs-on: ubuntu-20.04 + permissions: + contents: read + packages: write + id-token: write # needed for signing the images with GitHub OIDC Token **not production ready** + container: ghcr.io/kedacore/keda-tools:1.22.2 steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 @@ -32,3 +37,15 @@ jobs: run: make publish-multiarch env: VERSION: canary + + # https://github.com/sigstore/cosign-installer + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Check Cosign install! + run: cosign version + + - name: Sign KEDA images published on GitHub Container Registry + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: make sign-images diff --git a/.github/workflows/build_release.yml b/.github/workflows/build_release.yml index d4e94afc..96e85a15 100644 --- a/.github/workflows/build_release.yml +++ b/.github/workflows/build_release.yml @@ -7,6 +7,11 @@ on: jobs: build: runs-on: ubuntu-20.04 + permissions: + contents: read + packages: write + id-token: write # needed for signing the images with GitHub OIDC Token **not production ready** + container: ghcr.io/kedacore/keda-tools:1.22.2 steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 @@ -42,6 +47,18 @@ jobs: env: VERSION: ${{ steps.get_version.outputs.VERSION }} + # https://github.com/sigstore/cosign-installer + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Check Cosign install! + run: cosign version + + - name: Sign KEDA images published on GitHub Container Registry + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: make sign-images + # Get release information to determine id of the current release - name: Get Release id: get-release-info diff --git a/CHANGELOG.md b/CHANGELOG.md index 16297bc0..7836984e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,7 +39,7 @@ This changelog keeps track of work items that have been completed and are ready ### Other -- **General**: TODO ([#TODO](https://github.com/kedacore/http-add-on/issues/TODO)) +- **General**: Sign images with Cosign ([#1062](https://github.com/kedacore/http-add-on/issues/1062)) ## v0.8.0 diff --git a/Makefile b/Makefile index d8a2671a..8cc5f5a0 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,8 @@ GO_LDFLAGS="-X github.com/kedacore/http-add-on/pkg/build.version=${VERSION} -X g GIT_COMMIT ?= $(shell git rev-list -1 HEAD) GIT_COMMIT_SHORT ?= $(shell git rev-parse --short HEAD) +COSIGN_FLAGS ?= -y -a GIT_HASH=${GIT_COMMIT} -a GIT_VERSION=${VERSION} -a BUILD_DATE=${DATE} + define DOMAINS basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment @@ -142,6 +144,14 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust verify-manifests: ## Verify manifests are up to date. ./hack/verify-manifests.sh +sign-images: ## Sign KEDA images published on GitHub Container Registry + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_OPERATOR_VERSIONED_TAG) + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_OPERATOR_SHA_TAG) + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_INTERCEPTOR_VERSIONED_TAG) + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_INTERCEPTOR_SHA_TAG) + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_SCALER_VERSIONED_TAG) + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_SCALER_SHA_TAG) + mockgen: ## Generate mock implementations of Go interfaces. ./hack/update-mockgen.sh