mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00
Code Activity

feat: sign images using cosign on build

Browse source 
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
This commit is contained in:
ShubhamPalriwala 2021-09-27 00:57:02 +05:30
parent 360f8d0bd9
commit 614975b1c6
2 changed files with 35 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
.github/workflows/image.yaml vendored
View file

@ -18,6 +18,11 @@ jobs:
with: with:
go-version: 1.16 go-version: 1.16
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: login to GitHub Container Registry - name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -31,6 +36,11 @@ jobs:
run: | run: |
make docker-publish-initContainer make docker-publish-initContainer
- name: Sign image
run: |
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
push-kyverno: push-kyverno:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -45,6 +55,11 @@ jobs:
with: with:
go-version: 1.16 go-version: 1.16
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: login to GitHub Container Registry - name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -58,6 +73,11 @@ jobs:
run: | run: |
make docker-publish-kyverno make docker-publish-kyverno
- name: Sign image
run: |
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
push-kyverno-cli: push-kyverno-cli:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -72,6 +92,11 @@ jobs:
with: with:
go-version: 1.16 go-version: 1.16
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: login to GitHub Container Registry - name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -83,4 +108,9 @@ jobs:
- name: docker images publish - name: docker images publish
run: | run: |
make docker-publish-cli make docker-publish-cli
- name: Sign image
run: |
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/-cli:${KYVERNO_IMAGE_VERSION}

4
cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM
7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA==
-----END PUBLIC KEY-----