Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

sign images using cosign (#845)

Signed-off-by: cpanato <ctadeu@gmail.com>
Carlos Tadeu Panato Junior 4 years ago
parent
cdfa3b33b2
commit
332977caba
3 changed files with 35 additions and 0 deletions
Split View Show Diff Stats
  1. 13 0
      .github/workflows/ci.yml
  2. 16 0
      .github/workflows/release.yml
  3. 6 0
      Makefile

+ 13 - 0
.github/workflows/ci.yml
View File 

@@ -186,6 +186,9 @@ jobs:
 
     needs: detect-noop
 
     if: needs.detect-noop.outputs.noop != 'true'
 
 
+    permissions:
 
+      id-token: write
 
+
 
     steps:
 
       - name: Setup QEMU
 
         uses: docker/setup-qemu-action@v1
 
@@ -248,3 +251,13 @@ jobs:
 
         run: make docker.promote
 
         env:
 
           RELEASE_TAG: main
 
+
 
+      - name: Set up crane
 
+        if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
 
+        run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0
 
+
 
+      - name: Sign Artifacts to main release channel
 
+        if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
 
+        run: make docker.sign
 
+        env:
 
+          RELEASE_TAG: main

+ 16 - 0
.github/workflows/release.yml
View File 

@@ -16,6 +16,7 @@ jobs:
 
   release:
 
     name: Create Release
 
     runs-on: ubuntu-latest
 
+
 
     steps:
 
       - name: Checkout
 
         uses: actions/checkout@v3
 
@@ -68,6 +69,10 @@ jobs:
 
   promote:
 
     name: Promote Container Image
 
     runs-on: ubuntu-latest
 
+
 
+    permissions:
 
+      id-token: write
 
+
 
     steps:
 
       - name: Checkout
 
         uses: actions/checkout@v3
 
@@ -88,3 +93,14 @@ jobs:
 
         env:
 
           RELEASE_TAG: ${{ github.event.inputs.version }}
 
           SOURCE_TAG: main
 
+
 
+      - name: Set up crane
 
+        if: env.GHCR_USERNAME != ''
 
+        run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0
 
+
 
+      - name: Sign Container Image
 
+        if: env.GHCR_USERNAME != ''
 
+        run: make docker.sign
 
+        env:
 
+          RELEASE_TAG: ${{ github.event.inputs.version }}
 
+          SOURCE_TAG: main

+ 6 - 0
Makefile
View File 

@@ -231,6 +231,12 @@ docker.promote: ## Promote the docker image to the registry
 
 	docker manifest push $(IMAGE_REGISTRY):$(RELEASE_TAG)
 
 	@$(OK) docker push $(RELEASE_TAG) \
 
 
+docker.sign: ## Sign
 
+	@$(INFO) signing $(IMAGE_REGISTRY):$(RELEASE_TAG)
 
+	crane digest $(IMAGE_REGISTRY):$(RELEASE_TAG) > .digest
 
+	cosign sign $(IMAGE_REGISTRY)@$$(cat .digest)
 
+	@$(OK) cosign sign $(IMAGE_REGISTRY):$(RELEASE_TAG)
 
+
 
 # ====================================================================================
 
 # Terraform