Skip to content

Commit

Permalink
feat: flagd image signing (#338)
Browse files Browse the repository at this point in the history
## This PR

fixes #328

Introduce image signing for flagd. Signature is pushed to OCR repository
and public key will get added to release artefacts under the name
`publicKey.pub` (referred through variable PUBLIC_KEY_FILE in GH action)

**NOTE** - Require COSIGN_PRIVATE_KEY & COSIGN_PASSWORD secrets to be
created. And decide how to expose public key

---------

Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
  • Loading branch information
Kavindu-Dodan authored Feb 1, 2023
1 parent 09f74b9 commit eca6a60
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions .github/workflows/release-please.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
DEFAULT_GO_VERSION: 1.19.3
PUBLIC_KEY_FILE: publicKey.pub

name: Run Release Please
jobs:
Expand Down Expand Up @@ -77,6 +78,22 @@ jobs:
COMMIT=${{ github.sha }}
DATE=${{ steps.date.outputs.date }}
- name: Install Cosign
uses: sigstore/cosign-installer@main

- name: Sign the image
run: |
cosign sign --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.release_tag_name }}
cosign public-key --key env://COSIGN_PRIVATE_KEY --outfile ${{ env.PUBLIC_KEY_FILE }}
env:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}

- name: Bundle release assets
uses: softprops/action-gh-release@v1
with:
files: ${{ env.PUBLIC_KEY_FILE }}

- name: SBOM for latest image
uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0
with:
Expand Down

0 comments on commit eca6a60

Please sign in to comment.