-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test image signing using cosign #3
base: main
Are you sure you want to change the base?
Changes from 9 commits
048988d
d05d259
08e7022
3037a4e
fefcaf0
2a704e1
777b003
6d737af
d6ba71e
2a8a361
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,12 @@ | ||
name: Publish release | ||
|
||
on: | ||
push: | ||
branches: [main] | ||
tags: | ||
- "v*.*.*" | ||
pull_request: | ||
branches: [main] | ||
release: | ||
types: | ||
- published | ||
|
@@ -10,9 +16,11 @@ on: | |
permissions: | ||
deployments: write | ||
contents: write | ||
id-token: write | ||
|
||
jobs: | ||
publish-release: | ||
name: Create Jaeger latest release | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
|
@@ -43,50 +51,79 @@ jobs: | |
- name: Install tools | ||
run: make install-ci | ||
|
||
- name: Configure GPG Key | ||
id: import_gpg | ||
uses: crazy-max/ghaction-import-gpg@v5 | ||
with: | ||
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
passphrase: ${{ secrets.GPG_PASSPHRASE }} | ||
|
||
- name: Build binaries | ||
id: build-binaries | ||
run: make build-all-platforms | ||
|
||
- name: Package binaries | ||
id: package-binaries | ||
run: bash scripts/package-deploy.sh | ||
if: steps.build-binaries.outcome == 'success' | ||
|
||
- name: Upload binaries | ||
uses: svenstaro/upload-release-action@2b9d2847a97b04d02ad5c3df2d3a27baa97ce689 | ||
with: | ||
file: '{deploy/*.tar.gz,deploy/*.zip,deploy/*.sha256sum.txt,deploy/*.asc}' | ||
file_glob: true | ||
tag: ${{ github.ref }} | ||
repo_token: ${{ secrets.GITHUB_TOKEN }} | ||
if: steps.package-binaries.outcome == 'success' | ||
# - name: Configure GPG Key | ||
# id: import_gpg | ||
# uses: crazy-max/ghaction-import-gpg@v5 | ||
# with: | ||
# gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
# passphrase: ${{ secrets.GPG_PASSPHRASE }} | ||
|
||
# - name: Build binaries | ||
# id: build-binaries | ||
# run: make build-all-platforms | ||
|
||
# - name: Package binaries | ||
# id: package-binaries | ||
# run: bash scripts/package-deploy.sh | ||
# if: steps.build-binaries.outcome == 'success' | ||
|
||
# - name: Upload binaries | ||
# uses: svenstaro/upload-release-action@2b9d2847a97b04d02ad5c3df2d3a27baa97ce689 | ||
# with: | ||
# file: '{deploy/*.tar.gz,deploy/*.zip,deploy/*.sha256sum.txt,deploy/*.asc}' | ||
# file_glob: true | ||
# tag: ${{ github.ref }} | ||
# repo_token: ${{ secrets.GITHUB_TOKEN }} | ||
# if: steps.package-binaries.outcome == 'success' | ||
|
||
- uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 | ||
|
||
- name: Build and upload all docker images | ||
id: build-and-publish | ||
run: bash scripts/build-upload-docker-images.sh | ||
env: | ||
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | ||
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} | ||
|
||
- name: Build, test, and publish all-in-one image | ||
run: bash scripts/build-all-in-one-image.sh | ||
# - name: Build, test, and publish all-in-one image | ||
# run: bash scripts/build-all-in-one-image.sh | ||
# env: | ||
# DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | ||
# QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} | ||
|
||
# - name: Build, test, and publish hotrod image | ||
# run: bash scripts/hotrod-integration-test.sh | ||
# env: | ||
# DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | ||
# QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} | ||
|
||
- name: Get Image Tag | ||
id: tags | ||
run: | | ||
echo "tag=$(bash scripts/compute-tags.sh)" | ||
|
||
- name: Get Image Digest | ||
id: digest | ||
run: | | ||
echo "imagedigest=$(docker images jaeger-build:${{ steps.tags.outputs.tag }} --digests --quiet --no-trunc)" >> $GITHUB_OUTPUT | ||
|
||
- name: Install Cosign | ||
uses: sigstore/cosign-installer@main | ||
|
||
- name: Sign the published Docker image | ||
# This step uses the identity token to provision an ephemeral certificate | ||
# against the sigstore community Fulcio instance. | ||
env: | ||
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | ||
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} | ||
DIGEST: ${{ steps.build-and-publish.outputs.digest }} | ||
TAG: ${{ steps.tags.outputs.tag }} | ||
run: echo "${TAG}, ${DIGEST}" | ||
# echo "${TAG}" | xargs -I {} cosign sign --yes {}@${DIGEST} | ||
|
||
- name: Build, test, and publish hotrod image | ||
run: bash scripts/hotrod-integration-test.sh | ||
- name: Sign the Container Images | ||
env: | ||
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | ||
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} | ||
COSIGN_EXPERIMENTAL: "true" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you don't need this anymore since you are using cosign > v2.x here |
||
run: | | ||
cosign sign jaeger-build@${{ steps.digest.outputs.imagedigest }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you can read more about the risks of script injections: docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Any suggestion plz! |
||
|
||
- name: SBOM Generation | ||
uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Optional) there are some tools that I can help you to find the digest of the image like crane, regctl, etc, without having the image stored locally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, plz! suggestions are welcome too. 😄
I had been trying hard to get the digest, but failed.