From ffd863a8878204c49d291b8894d8609edad62ea6 Mon Sep 17 00:00:00 2001 From: James Reeve Date: Wed, 20 Sep 2023 13:59:28 -0400 Subject: [PATCH] feat(release): sign images with cosign (#25) * feat(release): sign images * debug * debug * re-enable scanning * update action versions --- .github/workflows/release.yml | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 779aa13..08b2e0c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -110,22 +110,22 @@ jobs: # If this is a scheduled (nightly) build use latest release tag # Otherwise use referenced/default branch/tag - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} submodules: recursive ref: ${{ steps.latest-release.outputs.latest-release }} if: ${{ github.event_name == 'schedule' }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} submodules: recursive if: ${{ github.event_name != 'schedule' }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to Global ICR - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: icr.io # These are organization-wide secrets, @@ -134,7 +134,7 @@ jobs: password: ${{ secrets.ICR_PASSWORD }} - name: Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: | ${{ inputs.image }} @@ -164,7 +164,7 @@ jobs: - name: Build and push image to scan if: ${{ inputs.scan_image_enabled && ( github.ref_type != 'tag' || steps.check-ref.outputs.has_alpha == 'false' ) }} - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: # If your Dockerfile is not present in the root directory # change it to the correct subdirectory name @@ -195,7 +195,8 @@ jobs: fail_if_overdue: ${{ inputs.scan_fail_if_overdue }} - name: Build and push - uses: docker/build-push-action@v4 + id: build-push + uses: docker/build-push-action@v5 with: # If your Dockerfile is not present in the root directory # change it to the correct subdirectory name @@ -215,3 +216,18 @@ jobs: build-args: |- SN_GITHUB_NPM_TOKEN=${{ secrets.NPM_TOKEN }} SN_GITHUB_NPM_REGISTRY=https://npm.pkg.github.com + + - uses: sigstore/cosign-installer@main + + - name: Write signing key to disk + run: echo "${{ secrets.CONTAINER_IMAGE_SIGNING_PRIVATE_KEY }}" > cosign.key + + - name: Sign container image + run: | + cosign sign --key cosign.key \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ${{ inputs.image }}@${{ steps.build-push.outputs.digest }} + env: + COSIGN_PASSWORD: ${{ secrets.CONTAINER_IMAGE_SIGNING_PASSWORD }}