From eca6a60967999a303ceef5465f1acc35c83afd6d Mon Sep 17 00:00:00 2001 From: Kavindu Dodanduwa Date: Wed, 1 Feb 2023 11:53:10 -0800 Subject: [PATCH] feat: flagd image signing (#338) ## This PR fixes #328 Introduce image signing for flagd. Signature is pushed to OCR repository and public key will get added to release artefacts under the name `publicKey.pub` (referred through variable PUBLIC_KEY_FILE in GH action) **NOTE** - Require COSIGN_PRIVATE_KEY & COSIGN_PASSWORD secrets to be created. And decide how to expose public key --------- Signed-off-by: Kavindu Dodanduwa --- .github/workflows/release-please.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index b4a67eba6..7fdcc070a 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -7,6 +7,7 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} DEFAULT_GO_VERSION: 1.19.3 + PUBLIC_KEY_FILE: publicKey.pub name: Run Release Please jobs: @@ -77,6 +78,22 @@ jobs: COMMIT=${{ github.sha }} DATE=${{ steps.date.outputs.date }} + - name: Install Cosign + uses: sigstore/cosign-installer@main + + - name: Sign the image + run: | + cosign sign --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.release_tag_name }} + cosign public-key --key env://COSIGN_PRIVATE_KEY --outfile ${{ env.PUBLIC_KEY_FILE }} + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + + - name: Bundle release assets + uses: softprops/action-gh-release@v1 + with: + files: ${{ env.PUBLIC_KEY_FILE }} + - name: SBOM for latest image uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0 with: