keyless signing kyverno images with digest (#2896)

* signing with digest Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * keyless signing Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * adding annotations Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * keyless image signing with digest in release workflow Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-01-04 21:38:28 +05:30 · 2022-01-04 21:38:28 +05:30 · d126280184
commit d126280184
parent 3f2caccab5
2 changed files with 48 additions and 21 deletions
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -34,15 +34,19 @@ jobs:
          install: true

      - name: docker images publish
+        id: push-step
        run: |
          make docker-publish-sigs
          make docker-publish-initContainer-dev

      - name: Sign image
-        run: |
-          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
-          KYVERNO_IMAGE_VERSION=$(git describe --match "[0-9].[0-9]-dev*")
-          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign sign \ 
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }}

  push-kyverno:
    runs-on: ubuntu-latest
@ -73,14 +77,18 @@ jobs:
          install: true

      - name: docker images publish
+        id: push-step
        run: |
          make docker-publish-kyverno-dev

      - name: Sign image
-        run: |
-          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
-          KYVERNO_IMAGE_VERSION=$(git describe --match "[0-9].[0-9]-dev*")
-          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign sign \ 
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }}

  push-kyverno-cli:
    runs-on: ubuntu-latest
@ -111,11 +119,15 @@ jobs:
          install: true

      - name: docker images publish
+        id: push-step
        run: |
          make docker-publish-cli-dev

      - name: Sign image
-        run: |
-          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
-          KYVERNO_IMAGE_VERSION=$(git describe --match "[0-9].[0-9]-dev*")
-          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_IMAGE_VERSION}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign sign \ 
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -50,14 +50,19 @@ jobs:
          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"

      - name :  docker images publish
+        id: push-step
        run: |
          make docker-publish-sigs
          make docker-publish-initContainer

      - name: Sign image
-        run: |
-          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
-          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign sign \ 
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }}

  release-kyverno:
    runs-on: ubuntu-latest
@ -117,14 +122,19 @@ jobs:
          path: kyverno-v*-bom.cdx.json

      - name :  docker images publish
+        id: push-step
        run: |
          make docker-publish-sbom
          make docker-publish-kyverno

      - name: Sign image and SBOM
-        run: |
-          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
-          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign sign \ 
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }}
          cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest

      - name: Trivy Scan Image
@ -183,13 +193,18 @@ jobs:
          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"

      - name :  docker images publish
+        id: push-step
        run: |
          make docker-publish-cli

      - name: Sign image
-        run: |
-          export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
-          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign sign \ 
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }}
  
  create-release:
    runs-on: ubuntu-latest