fix(cicd): add cosign installer

flxbl-io · Mar 2, 2024 · d40251e · d40251e
1 parent 66328a2
commit d40251e
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 3 deletions.
diff --git a/.github/actions/copyDocker/action.yml b/.github/actions/copyDocker/action.yml
@@ -27,7 +27,10 @@ inputs:
     token:
         type: string
         required: true
-
+outputs:
+  digest:
+    description: "digest of the image"
+    value: ${{ steps.copy-image.outputs.DIGEST }}
 
 runs:
     using: "composite"
@@ -39,10 +42,15 @@ runs:
 
      - uses: imjasonh/[email protected]
 
-     - name: tag image
+     - name: copy image
+       id: copy-image
        shell: bash
        run: |
          echo "${{ inputs.token }}" | crane auth login ${{ inputs.registry }} --username ${{ inputs.username }} --password-stdin
          crane  cp ${{ inputs.registry }}/${{ inputs.repo }}/${{ inputs.image }}:${{ inputs.tag }}  ${{ inputs.registry }}/${{ inputs.repo}}/${{ inputs.image-as }}:${{ inputs.with-tag }}
+         FULL_DIGEST=$(crane digest ${{ inputs.registry }}/${{ inputs.repo }}/${{ inputs.image-as }}:${{ inputs.with-tag }})
+         DIGEST=${FULL_DIGEST#*:}
+         echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT"
+
 
  
diff --git a/.github/workflows/sfp-build-docker.yml b/.github/workflows/sfp-build-docker.yml
@@ -37,13 +37,15 @@ jobs:
       contents: read
       packages: write
       id-token: write 
-      
+
     steps:
 
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
 
+    - name: Install Cosign
+      uses: sigstore/[email protected]
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3

diff --git a/.github/workflows/sfp-copy-docker.yml b/.github/workflows/sfp-copy-docker.yml
@@ -34,12 +34,21 @@ jobs:
     name: 'copy rc docker image to production'
     environment: ${{ inputs.job-environment }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write 
+
+
     steps:
 
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
 
+    - name: Install Cosign
+      uses: sigstore/[email protected]
+
     - name: 'Get package version'
       run: |
          echo "PKG_VERSION=$(jq -r ".version" packages/sfp-cli/package.json)" >> $GITHUB_ENV
@@ -56,8 +65,11 @@ jobs:
          token : ${{ secrets.token }}
          username : ${{ secrets.username }}
 
+
+
     - name: 'Copy Docker'
       uses: ./.github/actions/copyDocker
+      id: copy-docker
       with:
          repo: ${{ inputs.repo }}
          image: ${{ inputs.image }}
@@ -69,6 +81,24 @@ jobs:
          token: ${{ env.DOCKER_TOKEN }}
 
 
+    - name: Extract Docker metadata
+      id: meta
+      uses: docker/[email protected]
+      with:
+          images:  ghcr.io/${{ inputs.repo }}/${{ inputs.image-as }}:${{ env.PKG_VERSION }}-${{ github.run_id }}
+
+
+    - name: Sign the images with GitHub OIDC Token
+      env:
+         DIGEST: ${{ steps.copy-docker.outputs.digest }}
+         TAGS:  ghcr.io/${{ inputs.repo }}/${{ inputs.image-as }}:${{ env.PKG_VERSION }}-${{ github.run_id }}
+      run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
 
     - name: 'Tag Docker'
       uses: ./.github/actions/tagDocker