Skip to content

Commit

Permalink
Merge pull request #1821 from kube-logging/feat/add-image-and-chart-s…
Browse files Browse the repository at this point in the history
…igning

feat: add image and chart signing
  • Loading branch information
pepov authored Oct 10, 2024
2 parents 8e963f8 + b7331da commit fc01fc2
Showing 1 changed file with 50 additions and 2 deletions.
52 changes: 50 additions & 2 deletions .github/workflows/artifacts.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,9 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1

- name: Set up Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
Expand All @@ -88,7 +91,6 @@ jobs:
org.opencontainers.image.authors=Kube logging authors
org.opencontainers.image.documentation=https://kube-logging.dev/docs/
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
Expand Down Expand Up @@ -120,6 +122,31 @@ jobs:
outputs: ${{ steps.build-output.outputs.value }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
# push: ${{ inputs.publish }}

- name: Sign image with GitHub OIDC Token
if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Verify signed image with cosign
if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
for tag in ${TAGS}; do
cosign verify "${tag}@${DIGEST}" \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
done
- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -176,6 +203,9 @@ jobs:
with:
version: v3.12.0

- name: Set up Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Set chart name
id: chart-name
run: echo "value=${{ github.event.repository.name }}" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -220,11 +250,29 @@ jobs:
if: inputs.publish && inputs.release

- name: Helm push
run: helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }}
id: push
run: |
helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} &> push-metadata.txt
echo "digest=$(awk '/Digest: /{print $2}' push-metadata.txt)" >> "$GITHUB_OUTPUT"
env:
HELM_REGISTRY_CONFIG: ~/.docker/config.json
if: inputs.publish && inputs.release

- name: Sign chart with GitHub OIDC Token
if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.push.outputs.digest }}
run: cosign sign --yes "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"

- name: Verify signed chart with cosign
if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.push.outputs.digest }}
run: |
cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
with:
Expand Down

0 comments on commit fc01fc2

Please sign in to comment.