-
Notifications
You must be signed in to change notification settings - Fork 12
88 lines (76 loc) · 2.94 KB
/
docker-image-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Docker Sign Test
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- '*'
workflow_dispatch: {}
jobs:
test-sign-docker-image:
permissions:
contents: read
packages: write # needed to upload to packages to registry
id-token: write # needed for signing the images with GitHub OIDC Token
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
name: Test Sign Docker Image
runs-on: ubuntu-22.04
env:
PRERELEASE_IMAGE: kongcloud/security-test-repo-pub:ubuntu_23_10 #particular reason for the choice of image: test multi arch image
TAGS: kongcloud/security-test-repo-pub:ubuntu_23_10,kongcloud/security-test-repo:ubuntu_23_10
steps:
- uses: actions/checkout@v3
- name: Install regctl
uses: regclient/actions/regctl-installer@main
- name: Parse Image Manifest Digest
id: image_manifest_metadata
run: |
manifest_list_exists="$(
if regctl manifest get "${PRERELEASE_IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
echo true
else
echo false
fi
)"
echo "manifest_list_exists=$manifest_list_exists"
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
manifest_sha="$(regctl image digest "${PRERELEASE_IMAGE}")"
echo "manifest_sha=$manifest_sha"
echo "manifest_sha=$manifest_sha" >> $GITHUB_OUTPUT
- name: Sign Image digest
id: sign_image
if: steps.image_manifest_metadata.outputs.manifest_sha != ''
uses: ./security-actions/sign-docker-image
with:
cosign_output_prefix: ubuntu-23-10
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.TAGS }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
local_save_cosign_assets: true
registry_username: ${{ secrets.DOCKERHUB_PUSH_USERNAME }}
registry_password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}
- name: Push Images
env:
RELEASE_TAG: kongcloud/security-test-repo:v1
run: |
docker pull ${PRERELEASE_IMAGE}
for tag in $RELEASE_TAG; do
regctl -v debug image copy ${PRERELEASE_IMAGE} $tag
done
- name: Sign Image digest
id: sign_image_v1
if: steps.image_manifest_metadata.outputs.manifest_sha != ''
uses: ./security-actions/sign-docker-image
env:
RELEASE_TAG: kongcloud/security-test-repo:v1
with:
cosign_output_prefix: v1 # Optional
local_save_cosign_assets: true # Optional
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.RELEASE_TAG }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
registry_username: ${{ secrets.DOCKERHUB_PUSH_USERNAME }}
registry_password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}