Skip to content

Commit

Permalink
chore: adds image signing with cosign to publish.yml (#82)
Browse files Browse the repository at this point in the history 
* chore: adds image signing with cosign to publish.yml

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

* chore: add ignore line for KICS false positive

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

* fix: update the verification steps to add identity regexp and issuer

Adds a regular expression so a consumer can verify that image was published
from the expected repository.

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

---------

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
  • Loading branch information
@jpower432
jpower432 authored Dec 13, 2023
1 parent 3c68011 commit f6f7035
Showing 1 changed file with 32 additions and 6 deletions.
38 changes: 32 additions & 6 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,24 +29,34 @@ jobs:
runs-on: 'ubuntu-latest'
permissions:
contents: read
# kics-scan ignore-line
id-token: write # needed for signing the images with GitHub OIDC Token
outputs:
skip_tests: ${{ steps.check_event.outputs.event_type == 'release' ||
(steps.check_event.outputs.event_type == 'workflow_dispatch' &&
github.event.inputs.skip_tests == 'true') }}
image: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}@${{ steps.build-image.outputs.digest }}
image: ${{ steps.set_image_repo.outputs.image_repo }}@${{ steps.build-and-push.outputs.digest }}
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Set up cosign
uses: sigstore/cosign-installer@v3.1.1

- name: Login to Quay
uses: docker/login-action@v3
with:
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}
registry: ${{ env.IMAGE_REGISTRY }}

- name: Set image repository
id: set_image_repo
run: |
echo "image_repo=${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}" >> "$GITHUB_OUTPUT"
- name: Check if triggered by release or workflow dispatch
id: check_event
Expand All @@ -72,17 +82,18 @@ jobs:

- name: Build and export to Docker
uses: docker/build-push-action@v5
id: build-and-export
with:
load: true
no-cache: ${{ env.NO_CACHE == 'true' }}
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
tags: ${{ steps.set_image_repo.outputs.image_repo }}:${{ env.TAG }}

- name: Pre-push Image Scan
uses: aquasecurity/trivy-action@0.16.0
with:
image-ref: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
image-ref: ${{ steps.set_image_repo.outputs.image_repo }}:${{ env.TAG }}
exit-code: 1
skip-files: "**/.venv/lib/**/METADATA"
scanners: secret
Expand All @@ -91,10 +102,25 @@ jobs:
# Does not rebuild. Uses internal cache from previous step.
- name: Build and Push
uses: docker/build-push-action@v5
id: build-image
id: build-and-push
with:
push: true
tags: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
tags: ${{ steps.set_image_repo.outputs.image_repo }}:${{ env.TAG }}

- name: Sign the image with GitHub OIDC Token
run: cosign sign --yes "$IMAGE@$DIGEST"
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}

- name: Verify image
run: |
cosign verify "$IMAGE@$DIGEST" --certificate-identity-regexp="$SUBJECT" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
env:
SUBJECT: https://github\.com/${{ github.repository_owner }}/trestle-bot/\.github/.+
IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

test:
permissions:
Expand All @@ -103,4 +129,4 @@ jobs:
if: ${{ needs.publish-image.outputs.skip_tests != 'true' }}
uses: ./.github/workflows/e2e.yml
with:
image: ${{ needs.publish-image.outputs.image }}
image: ${{ needs.publish-image.outputs.image }}

0 comments on commit f6f7035

Please sign in to comment.