Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test image signing using cosign #3

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/ci-all-in-one-build.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions:
4 changes: 2 additions & 2 deletions .github/workflows/ci-build-binaries.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions:
4 changes: 2 additions & 2 deletions .github/workflows/ci-cassandra.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
4 changes: 2 additions & 2 deletions .github/workflows/ci-crossdock.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions:
4 changes: 2 additions & 2 deletions .github/workflows/ci-docker-build.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions:
4 changes: 2 additions & 2 deletions .github/workflows/ci-elasticsearch.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
4 changes: 2 additions & 2 deletions .github/workflows/ci-grpc-badger.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
4 changes: 2 additions & 2 deletions .github/workflows/ci-hotrod.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions:
4 changes: 2 additions & 2 deletions .github/workflows/ci-kafka.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
4 changes: 2 additions & 2 deletions .github/workflows/ci-opensearch.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
4 changes: 2 additions & 2 deletions .github/workflows/ci-protogen-tests.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
101 changes: 69 additions & 32 deletions .github/workflows/ci-release.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
name: Publish release

on:
push:
branches: [main]
tags:
- "v*.*.*"
pull_request:
branches: [main]
release:
types:
- published
@@ -10,9 +16,11 @@ on:
permissions:
deployments: write
contents: write
id-token: write

jobs:
publish-release:
name: Create Jaeger latest release
runs-on: ubuntu-latest

steps:
@@ -43,50 +51,79 @@ jobs:
- name: Install tools
run: make install-ci

- name: Configure GPG Key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}

- name: Build binaries
id: build-binaries
run: make build-all-platforms

- name: Package binaries
id: package-binaries
run: bash scripts/package-deploy.sh
if: steps.build-binaries.outcome == 'success'

- name: Upload binaries
uses: svenstaro/upload-release-action@2b9d2847a97b04d02ad5c3df2d3a27baa97ce689
with:
file: '{deploy/*.tar.gz,deploy/*.zip,deploy/*.sha256sum.txt,deploy/*.asc}'
file_glob: true
tag: ${{ github.ref }}
repo_token: ${{ secrets.GITHUB_TOKEN }}
if: steps.package-binaries.outcome == 'success'
# - name: Configure GPG Key
# id: import_gpg
# uses: crazy-max/ghaction-import-gpg@v5
# with:
# gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
# passphrase: ${{ secrets.GPG_PASSPHRASE }}

# - name: Build binaries
# id: build-binaries
# run: make build-all-platforms

# - name: Package binaries
# id: package-binaries
# run: bash scripts/package-deploy.sh
# if: steps.build-binaries.outcome == 'success'

# - name: Upload binaries
# uses: svenstaro/upload-release-action@2b9d2847a97b04d02ad5c3df2d3a27baa97ce689
# with:
# file: '{deploy/*.tar.gz,deploy/*.zip,deploy/*.sha256sum.txt,deploy/*.asc}'
# file_glob: true
# tag: ${{ github.ref }}
# repo_token: ${{ secrets.GITHUB_TOKEN }}
# if: steps.package-binaries.outcome == 'success'

- uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18

- name: Build and upload all docker images
id: build-and-publish
run: bash scripts/build-upload-docker-images.sh
env:
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}

- name: Build, test, and publish all-in-one image
run: bash scripts/build-all-in-one-image.sh
# - name: Build, test, and publish all-in-one image
# run: bash scripts/build-all-in-one-image.sh
# env:
# DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
# QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}

# - name: Build, test, and publish hotrod image
# run: bash scripts/hotrod-integration-test.sh
# env:
# DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
# QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}

- name: Get Image Tag
id: tags
run: |
echo "tag=$(bash scripts/compute-tags.sh)"

- name: Get Image Digest
id: digest
run: |
echo "imagedigest=$(docker images jaeger-build:${{ steps.tags.outputs.tag }} --digests --quiet --no-trunc)" >> $GITHUB_OUTPUT

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Optional) there are some tools that I can help you to find the digest of the image like crane, regctl, etc, without having the image stored locally.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, plz! suggestions are welcome too. 😄
I had been trying hard to get the digest, but failed.


- name: Install Cosign
uses: sigstore/cosign-installer@main

- name: Sign the published Docker image
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
env:
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
DIGEST: ${{ steps.build-and-publish.outputs.digest }}
TAG: ${{ steps.tags.outputs.tag }}
run: echo "${TAG}, ${DIGEST}"
# echo "${TAG}" | xargs -I {} cosign sign --yes {}@${DIGEST}

- name: Build, test, and publish hotrod image
run: bash scripts/hotrod-integration-test.sh
- name: Sign the Container Images
env:
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
COSIGN_EXPERIMENTAL: "true"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you don't need this anymore since you are using cosign > v2.x here

run: |
cosign sign jaeger-build@${{ steps.digest.outputs.imagedigest }}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any suggestion plz! cosign sign jaeger-build@${{ steps.digest.outputs.imagedigest }} didn't work for me.


- name: SBOM Generation
uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624
4 changes: 2 additions & 2 deletions .github/workflows/ci-unit-tests.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: # added using https://github.com/step-security/secure-workflows
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

schedule:
- cron: '31 6 * * 1'
4 changes: 2 additions & 2 deletions .github/workflows/fossa.yml
Original file line number Diff line number Diff line change
@@ -4,8 +4,8 @@ on:
push:
branches: [main]

pull_request:
branches: [main]
# pull_request:
# branches: [main]

# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
permissions: