From d40251eac3ab9664717ddf2975200feb23ca4fee Mon Sep 17 00:00:00 2001 From: azlam-abdulsalam Date: Sat, 2 Mar 2024 11:24:14 +1100 Subject: [PATCH] fix(cicd): add cosign installer --- .github/actions/copyDocker/action.yml | 12 +++++++++-- .github/workflows/sfp-build-docker.yml | 4 +++- .github/workflows/sfp-copy-docker.yml | 30 ++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 3 deletions(-) diff --git a/.github/actions/copyDocker/action.yml b/.github/actions/copyDocker/action.yml index afb25f729..7a4eedb99 100644 --- a/.github/actions/copyDocker/action.yml +++ b/.github/actions/copyDocker/action.yml @@ -27,7 +27,10 @@ inputs: token: type: string required: true - +outputs: + digest: + description: "digest of the image" + value: ${{ steps.copy-image.outputs.DIGEST }} runs: using: "composite" @@ -39,10 +42,15 @@ runs: - uses: imjasonh/setup-crane@v0.1 - - name: tag image + - name: copy image + id: copy-image shell: bash run: | echo "${{ inputs.token }}" | crane auth login ${{ inputs.registry }} --username ${{ inputs.username }} --password-stdin crane cp ${{ inputs.registry }}/${{ inputs.repo }}/${{ inputs.image }}:${{ inputs.tag }} ${{ inputs.registry }}/${{ inputs.repo}}/${{ inputs.image-as }}:${{ inputs.with-tag }} + FULL_DIGEST=$(crane digest ${{ inputs.registry }}/${{ inputs.repo }}/${{ inputs.image-as }}:${{ inputs.with-tag }}) + DIGEST=${FULL_DIGEST#*:} + echo "DIGEST=$DIGEST" >> "$GITHUB_OUTPUT" + diff --git a/.github/workflows/sfp-build-docker.yml b/.github/workflows/sfp-build-docker.yml index ab147b9c3..f2eb7bf09 100644 --- a/.github/workflows/sfp-build-docker.yml +++ b/.github/workflows/sfp-build-docker.yml @@ -37,13 +37,15 @@ jobs: contents: read packages: write id-token: write - + steps: - uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Install Cosign + uses: sigstore/cosign-installer@v3.4.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/sfp-copy-docker.yml b/.github/workflows/sfp-copy-docker.yml index c7a11e745..a2cf5b18a 100644 --- a/.github/workflows/sfp-copy-docker.yml +++ b/.github/workflows/sfp-copy-docker.yml @@ -34,12 +34,21 @@ jobs: name: 'copy rc docker image to production' environment: ${{ inputs.job-environment }} runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: - uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Install Cosign + uses: sigstore/cosign-installer@v3.4.0 + - name: 'Get package version' run: | echo "PKG_VERSION=$(jq -r ".version" packages/sfp-cli/package.json)" >> $GITHUB_ENV @@ -56,8 +65,11 @@ jobs: token : ${{ secrets.token }} username : ${{ secrets.username }} + + - name: 'Copy Docker' uses: ./.github/actions/copyDocker + id: copy-docker with: repo: ${{ inputs.repo }} image: ${{ inputs.image }} @@ -69,6 +81,24 @@ jobs: token: ${{ env.DOCKER_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4.4.0 + with: + images: ghcr.io/${{ inputs.repo }}/${{ inputs.image-as }}:${{ env.PKG_VERSION }}-${{ github.run_id }} + + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.copy-docker.outputs.digest }} + TAGS: ghcr.io/${{ inputs.repo }}/${{ inputs.image-as }}:${{ env.PKG_VERSION }}-${{ github.run_id }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + - name: 'Tag Docker' uses: ./.github/actions/tagDocker