1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

sign images using cosign (#845)

Signed-off-by: cpanato <ctadeu@gmail.com>
This commit is contained in:
Carlos Tadeu Panato Junior 2022-03-19 21:07:50 +01:00 committed by GitHub
parent cdfa3b33b2
commit 332977caba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 35 additions and 0 deletions

View file

@ -186,6 +186,9 @@ jobs:
needs: detect-noop needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true' if: needs.detect-noop.outputs.noop != 'true'
permissions:
id-token: write
steps: steps:
- name: Setup QEMU - name: Setup QEMU
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
@ -248,3 +251,13 @@ jobs:
run: make docker.promote run: make docker.promote
env: env:
RELEASE_TAG: main RELEASE_TAG: main
- name: Set up crane
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0
- name: Sign Artifacts to main release channel
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
run: make docker.sign
env:
RELEASE_TAG: main

View file

@ -16,6 +16,7 @@ jobs:
release: release:
name: Create Release name: Create Release
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
@ -68,6 +69,10 @@ jobs:
promote: promote:
name: Promote Container Image name: Promote Container Image
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
@ -88,3 +93,14 @@ jobs:
env: env:
RELEASE_TAG: ${{ github.event.inputs.version }} RELEASE_TAG: ${{ github.event.inputs.version }}
SOURCE_TAG: main SOURCE_TAG: main
- name: Set up crane
if: env.GHCR_USERNAME != ''
run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0
- name: Sign Container Image
if: env.GHCR_USERNAME != ''
run: make docker.sign
env:
RELEASE_TAG: ${{ github.event.inputs.version }}
SOURCE_TAG: main

View file

@ -231,6 +231,12 @@ docker.promote: ## Promote the docker image to the registry
docker manifest push $(IMAGE_REGISTRY):$(RELEASE_TAG) docker manifest push $(IMAGE_REGISTRY):$(RELEASE_TAG)
@$(OK) docker push $(RELEASE_TAG) \ @$(OK) docker push $(RELEASE_TAG) \
docker.sign: ## Sign
@$(INFO) signing $(IMAGE_REGISTRY):$(RELEASE_TAG)
crane digest $(IMAGE_REGISTRY):$(RELEASE_TAG) > .digest
cosign sign $(IMAGE_REGISTRY)@$$(cat .digest)
@$(OK) cosign sign $(IMAGE_REGISTRY):$(RELEASE_TAG)
# ==================================================================================== # ====================================================================================
# Terraform # Terraform