diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 0b5d42746c..dcd9af9d62 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -18,6 +18,11 @@ jobs: with: go-version: 1.16 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.2.1' + - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin @@ -31,6 +36,11 @@ jobs: run: | make docker-publish-initContainer + - name: Sign image + run: | + KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*") + echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION} + push-kyverno: runs-on: ubuntu-latest steps: @@ -45,6 +55,11 @@ jobs: with: go-version: 1.16 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.2.1' + - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin @@ -58,6 +73,11 @@ jobs: run: | make docker-publish-kyverno + - name: Sign image + run: | + KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*") + echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION} + push-kyverno-cli: runs-on: ubuntu-latest steps: @@ -72,6 +92,11 @@ jobs: with: go-version: 1.16 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.2.1' + - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin @@ -83,4 +108,9 @@ jobs: - name: docker images publish run: | - make docker-publish-cli \ No newline at end of file + make docker-publish-cli + + - name: Sign image + run: | + KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*") + echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/-cli:${KYVERNO_IMAGE_VERSION} diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000000..c7a558d4c7 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM +7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA== +-----END PUBLIC KEY----- \ No newline at end of file