feat(image): Sign image with cosign

codecentric · Aug 9, 2024 · 68bbd91 · 68bbd91
1 parent b150f42
commit 68bbd91
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -9,6 +9,8 @@ jobs:
   push_images:
     name: Test and Push Images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token
     strategy:
       matrix:
         # "{0}" will be replaced by the latest pushed nginx version
@@ -44,6 +46,8 @@ jobs:
           nginx-tag: "${{ steps.target_nginx_tag.outputs.tag }}"
           matrix-nginx: "${{ matrix.nginx }}"
           docker-repository: "${{ vars.DOCKER_REPOSITORY }}"
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
       - uses: docker/setup-qemu-action@v3
         name: Set up QEMU
       - uses: docker/setup-buildx-action@v3
@@ -55,6 +59,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - uses: docker/build-push-action@v6
         name: Build and push
+        id: build-and-push
         if: ${{ steps.target_tags.outputs.tags != '' }}
         with:
           context: .
@@ -65,3 +70,15 @@ jobs:
           build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }}
           provenance: mode=max
           sbom: true
+      - name: Sign the images with GitHub OIDC Token
+        if: ${{ steps.target_tags.outputs.tags != '' }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.target_tags.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS//,/ }; do
+            images+="${tag}@${DIGEST} "
+          done
+          echo '${{ secrets.DOCKER_PASSWORD }}' | cosign login ${{ vars.HELM_REGISTRY }} --username '${{ secrets.DOCKER_USERNAME }}' --password-stdin
+          cosign sign --yes ${images}
diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
@@ -11,6 +11,8 @@ jobs:
   rebase_images:
     name: Update Images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token
     strategy:
       matrix:
         spa_server_major_version: [ "latest", "1" ]
@@ -81,6 +83,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - uses: docker/build-push-action@v6
         name: Build and push
+        id: build-and-push
         if: ${{ steps.check_if_update_is_necessary.outputs.needs_update == 'true' && steps.target_image_name.outputs.tags != '' }}
         with:
           context: .
@@ -91,3 +94,15 @@ jobs:
           build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }}
           provenance: mode=max
           sbom: true
+      - name: Sign the images with GitHub OIDC Token
+        if: ${{ steps.target_tags.outputs.tags != '' }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.target_image_name.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS//,/ }; do
+            images+="${tag}@${DIGEST} "
+          done
+          echo '${{ secrets.DOCKER_PASSWORD }}' | cosign login ${{ vars.HELM_REGISTRY }} --username '${{ secrets.DOCKER_USERNAME }}' --password-stdin
+          cosign sign --yes ${images}