Implement cosign on docker image (#16774)

Signed-off-by: Gaël Goinvic <gaelg@element.io>
This commit is contained in:
Gaël Goinvic 2024-01-04 12:49:33 +01:00 committed by GitHub
parent 25b3ba5328
commit 9ee3db1de5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 1 deletions

View File

@ -11,7 +11,7 @@ on:
permissions: permissions:
contents: read contents: read
packages: write packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -29,6 +29,9 @@ jobs:
- name: Inspect builder - name: Inspect builder
run: docker buildx inspect run: docker buildx inspect
- name: Install Cosign
uses: sigstore/cosign-installer@v3.3.0
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -68,6 +71,7 @@ jobs:
type=pep440,pattern={{raw}} type=pep440,pattern={{raw}}
- name: Build and push all platforms - name: Build and push all platforms
id: build-and-push
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
push: true push: true
@ -82,3 +86,14 @@ jobs:
# https://github.com/rust-lang/cargo/issues/10583 # https://github.com/rust-lang/cargo/issues/10583
build-args: | build-args: |
CARGO_NET_GIT_FETCH_WITH_CLI=true CARGO_NET_GIT_FETCH_WITH_CLI=true
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
TAGS: ${{ steps.set-tag.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}

1
changelog.d/16774.misc Normal file
View File

@ -0,0 +1 @@
Sign the published docker image using [cosign](https://docs.sigstore.dev/).