ci: create and publish artifact signatures with cosign

Signed-off-by: Massimiliano Giovagnoli <[email protected]>
falcosecurity · Jun 24, 2023 · ee8b2b3 · ee8b2b3
1 parent 48c224f
commit ee8b2b3
Showing 1 changed file with 31 additions and 1 deletion.
diff --git a/.github/workflows/upload-oci-artifacts.yaml b/.github/workflows/upload-oci-artifacts.yaml
@@ -6,6 +6,9 @@ jobs:
  publish-oci-artifacts:
  runs-on: ubuntu-latest
 
+ outputs:
+ matrix: ${{ steps.oci_build.outputs.REGISTRY_UPDATE_STATUS }}
+
  steps:
  - name: Checkout Plugins
  uses: actions/checkout@v3
@@ -33,4 +36,31 @@ jobs:
  echo "REGISTRY_UPDATE_STATUS=$(
  ./bin/registry update-oci-registry ../../registry.yaml
  )" >> $GITHUB_OUTPUT
- - run: "echo ${{ steps.oci_build.outputs.REGISTRY_UPDATE_STATUS }}"
+
+ - name: Print registry update status
+ run: "echo ${{ steps.oci_build.outputs.REGISTRY_UPDATE_STATUS }}"
+
+ # Create signatures of the plugin artifacts as OCI artifacts
+ sign-oci-artifacts:
+ needs: [ publish-oci-artifacts ]
+
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ value: ${{ fromJson(needs.publish-oci-artifacts.outputs.matrix) }}
+
+ permissions:
+ contents: read
+ id-token: write
+ packages: write
+
+ steps:
+ - name: Install Cosign
+ uses: sigstore/[email protected]
+ with:
+ cosign-release: 'v2.1.0'
+ - run: cosign version
+ - name: Sign the artifacts with GitHub OIDC Token
+ run: cosign sign --yes ${{ matrix.value.repository.ref }}@${{ matrix.value.artifact.digest }}
+