From 7359c9bf936efd0ad57a893021ad5915fbfb362a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABl=20Goinvic?= Date: Wed, 3 Jan 2024 10:42:32 +0100 Subject: [PATCH] sign images using cosign MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gaƫl Goinvic --- .github/workflows/dockerhub.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/dockerhub.yaml b/.github/workflows/dockerhub.yaml index ab666bf27a..26008d6a8b 100644 --- a/.github/workflows/dockerhub.yaml +++ b/.github/workflows/dockerhub.yaml @@ -7,6 +7,9 @@ on: # This job can take a while, and we have usage limits, so just publish develop only twice a day - cron: "0 7/12 * * *" concurrency: ${{ github.workflow }}-${{ github.ref_name }} + +permissions: + id-token: write # needed for signing the images with GitHub OIDC Token jobs: buildx: name: Docker Buildx @@ -26,6 +29,9 @@ jobs: with: fetch-depth: 0 # needed for docker-package to be able to calculate the version + - name: Install Cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3 + - name: Prepare if: matrix.prepare run: ${{ matrix.prepare }} @@ -58,6 +64,7 @@ jobs: ${{ matrix.flavor }} - name: Build and push + id: build-and-push uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5 with: context: . @@ -66,6 +73,17 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + - name: Update repo description if: matrix.variant == 'vanilla' uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4