feat(release): sign images with cosign (#25)

* feat(release): sign images * debug * debug * re-enable scanning * update action versions
ibm-skills-network · Sep 20, 2023 · ffd863a · ffd863a
1 parent 5d96fdc
commit ffd863a
Showing 1 changed file with 23 additions and 7 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -110,22 +110,22 @@ jobs:
 
       # If this is a scheduled (nightly) build use latest release tag
       # Otherwise use referenced/default branch/tag
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
           submodules: recursive
           ref: ${{ steps.latest-release.outputs.latest-release }}
         if: ${{ github.event_name == 'schedule' }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
           submodules: recursive
         if: ${{ github.event_name != 'schedule' }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to Global ICR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: icr.io
           # These are organization-wide secrets,
@@ -134,7 +134,7 @@ jobs:
           password: ${{ secrets.ICR_PASSWORD }}
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             ${{ inputs.image }}
@@ -164,7 +164,7 @@ jobs:
 
       - name: Build and push image to scan
         if: ${{ inputs.scan_image_enabled && ( github.ref_type != 'tag' || steps.check-ref.outputs.has_alpha == 'false' ) }}
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           # If your Dockerfile is not present in the root directory
           # change it to the correct subdirectory name
@@ -195,7 +195,8 @@ jobs:
           fail_if_overdue: ${{ inputs.scan_fail_if_overdue }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        id: build-push
+        uses: docker/build-push-action@v5
         with:
           # If your Dockerfile is not present in the root directory
           # change it to the correct subdirectory name
@@ -215,3 +216,18 @@ jobs:
           build-args: |-
             SN_GITHUB_NPM_TOKEN=${{ secrets.NPM_TOKEN }}
             SN_GITHUB_NPM_REGISTRY=https://npm.pkg.github.com
+
+      - uses: sigstore/cosign-installer@main
+
+      - name: Write signing key to disk
+        run: echo "${{ secrets.CONTAINER_IMAGE_SIGNING_PRIVATE_KEY }}" > cosign.key
+
+      - name: Sign container image
+        run: |
+          cosign sign --key cosign.key \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.sha }}" \
+            ${{ inputs.image }}@${{ steps.build-push.outputs.digest }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.CONTAINER_IMAGE_SIGNING_PASSWORD }}