diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8e3b1cd4..8d219cd81 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -186,6 +186,9 @@ jobs: needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' + permissions: + id-token: write + steps: - name: Setup QEMU uses: docker/setup-qemu-action@v1 @@ -248,3 +251,13 @@ jobs: run: make docker.promote env: RELEASE_TAG: main + + - name: Set up crane + if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != '' + run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0 + + - name: Sign Artifacts to main release channel + if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != '' + run: make docker.sign + env: + RELEASE_TAG: main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8fa4a431..4bdac95fd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,7 @@ jobs: release: name: Create Release runs-on: ubuntu-latest + steps: - name: Checkout uses: actions/checkout@v3 @@ -68,6 +69,10 @@ jobs: promote: name: Promote Container Image runs-on: ubuntu-latest + + permissions: + id-token: write + steps: - name: Checkout uses: actions/checkout@v3 @@ -88,3 +93,14 @@ jobs: env: RELEASE_TAG: ${{ github.event.inputs.version }} SOURCE_TAG: main + + - name: Set up crane + if: env.GHCR_USERNAME != '' + run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0 + + - name: Sign Container Image + if: env.GHCR_USERNAME != '' + run: make docker.sign + env: + RELEASE_TAG: ${{ github.event.inputs.version }} + SOURCE_TAG: main diff --git a/Makefile b/Makefile index c089d86da..3431b55a0 100644 --- a/Makefile +++ b/Makefile @@ -231,6 +231,12 @@ docker.promote: ## Promote the docker image to the registry docker manifest push $(IMAGE_REGISTRY):$(RELEASE_TAG) @$(OK) docker push $(RELEASE_TAG) \ +docker.sign: ## Sign + @$(INFO) signing $(IMAGE_REGISTRY):$(RELEASE_TAG) + crane digest $(IMAGE_REGISTRY):$(RELEASE_TAG) > .digest + cosign sign $(IMAGE_REGISTRY)@$$(cat .digest) + @$(OK) cosign sign $(IMAGE_REGISTRY):$(RELEASE_TAG) + # ==================================================================================== # Terraform