mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
feat: sign images using cosign on build
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
This commit is contained in:
parent
360f8d0bd9
commit
614975b1c6
2 changed files with 35 additions and 1 deletions
32
.github/workflows/image.yaml
vendored
32
.github/workflows/image.yaml
vendored
|
@ -18,6 +18,11 @@ jobs:
|
||||||
with:
|
with:
|
||||||
go-version: 1.16
|
go-version: 1.16
|
||||||
|
|
||||||
|
- name: Install Cosign
|
||||||
|
uses: sigstore/cosign-installer@main
|
||||||
|
with:
|
||||||
|
cosign-release: 'v1.2.1'
|
||||||
|
|
||||||
- name: login to GitHub Container Registry
|
- name: login to GitHub Container Registry
|
||||||
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
||||||
|
|
||||||
|
@ -31,6 +36,11 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
make docker-publish-initContainer
|
make docker-publish-initContainer
|
||||||
|
|
||||||
|
- name: Sign image
|
||||||
|
run: |
|
||||||
|
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||||
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
|
||||||
|
|
||||||
push-kyverno:
|
push-kyverno:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
@ -45,6 +55,11 @@ jobs:
|
||||||
with:
|
with:
|
||||||
go-version: 1.16
|
go-version: 1.16
|
||||||
|
|
||||||
|
- name: Install Cosign
|
||||||
|
uses: sigstore/cosign-installer@main
|
||||||
|
with:
|
||||||
|
cosign-release: 'v1.2.1'
|
||||||
|
|
||||||
- name: login to GitHub Container Registry
|
- name: login to GitHub Container Registry
|
||||||
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
||||||
|
|
||||||
|
@ -58,6 +73,11 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
make docker-publish-kyverno
|
make docker-publish-kyverno
|
||||||
|
|
||||||
|
- name: Sign image
|
||||||
|
run: |
|
||||||
|
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||||
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
|
||||||
|
|
||||||
push-kyverno-cli:
|
push-kyverno-cli:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
@ -72,6 +92,11 @@ jobs:
|
||||||
with:
|
with:
|
||||||
go-version: 1.16
|
go-version: 1.16
|
||||||
|
|
||||||
|
- name: Install Cosign
|
||||||
|
uses: sigstore/cosign-installer@main
|
||||||
|
with:
|
||||||
|
cosign-release: 'v1.2.1'
|
||||||
|
|
||||||
- name: login to GitHub Container Registry
|
- name: login to GitHub Container Registry
|
||||||
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
||||||
|
|
||||||
|
@ -83,4 +108,9 @@ jobs:
|
||||||
|
|
||||||
- name: docker images publish
|
- name: docker images publish
|
||||||
run: |
|
run: |
|
||||||
make docker-publish-cli
|
make docker-publish-cli
|
||||||
|
|
||||||
|
- name: Sign image
|
||||||
|
run: |
|
||||||
|
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||||
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/-cli:${KYVERNO_IMAGE_VERSION}
|
||||||
|
|
4
cosign.pub
Normal file
4
cosign.pub
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM
|
||||||
|
7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA==
|
||||||
|
-----END PUBLIC KEY-----
|
Loading…
Add table
Reference in a new issue