From dd4be2f58049f3409c7110e60ea100b0e070ae30 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 4 May 2022 04:01:39 +0200 Subject: [PATCH] ci(github-actions): Enable cosign for nightly builds This patch adds a first PoC for cosign-signed container images. Cosign helps to authenticate the origin of a container image and is an important step towards supply chain integrity in the container ecosystem. This patch only introduces this change to nightly builds, in order to evaluate the changes before we utilise them for releases. Signed-off-by: Sheogorath --- .github/workflows/nightly.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a5030a45..1cfbe09f 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -8,6 +8,9 @@ on: jobs: nightly: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write strategy: matrix: base: [debian, alpine] @@ -18,6 +21,11 @@ jobs: - name: Checkout uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.8.0' + - name: Set date run: echo TODAY=$(date +%Y%m%d) >> $GITHUB_ENV @@ -35,6 +43,7 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and push image + id: build-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # tag=v2 with: context: . @@ -47,3 +56,9 @@ jobs: tags: | ${{ env.HEDGEDOC_IMAGE }}:${{ env.TODAY }}-${{ matrix.base }} ${{ env.HEDGEDOC_IMAGE }}:${{ matrix.base }} + + - name: Sign the images with GitHub OIDC Token + run: cosign sign ${IMAGE} + env: + IMAGE: ${{ env.HEDGEDOC_IMAGE }}@${{ steps.build-push.outputs.digest }} + COSIGN_EXPERIMENTAL: 1