Skip to content

Commit

Permalink
Merge pull request #117 from kube-logging/feat/artifact-signing
Browse files Browse the repository at this point in the history 
feat: artifact signing
  • Loading branch information
@csatib02
csatib02 authored Dec 16, 2024
2 parents bd3d795 + 1886551 commit 99207f4
Showing 1 changed file with 53 additions and 1 deletion.
54 changes: 53 additions & 1 deletion .github/workflows/artifacts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,9 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Set up Cosign
uses: sigstore/cosign-installer@v3

- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -120,6 +123,32 @@ jobs:
outputs: ${{ steps.build-output.outputs.value }},name=target
# push: ${{ inputs.publish }}

- name: Sign image with GitHub OIDC Token
if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS[@]}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
- name: Verify signed image with cosign
if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
for tag in ${TAGS[@]}; do
cosign verify "${tag}@${DIGEST}" \
--rekor-url "https://rekor.sigstore.dev/" \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
done
- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -154,6 +183,7 @@ jobs:
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
sarif_file: trivy-results.sarif

helm-chart:
name: Helm chart
runs-on: ubuntu-latest
Expand All @@ -176,6 +206,9 @@ jobs:
- name: Set up Helm
uses: azure/setup-helm@v4.2.0

- name: Set up Cosign
uses: sigstore/cosign-installer@v3

- name: Set chart name
id: chart-name
run: echo "value=${{ github.event.repository.name }}" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -223,11 +256,30 @@ jobs:
if: inputs.publish && inputs.release

- name: Helm push
run: helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }}
id: push
run: |
helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} &> push-metadata.txt
echo "digest=$(awk '/Digest: /{print $2}' push-metadata.txt)" >> "$GITHUB_OUTPUT"
env:
HELM_REGISTRY_CONFIG: ~/.docker/config.json
if: inputs.publish && inputs.release

- name: Sign chart with GitHub OIDC Token
if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.push.outputs.digest }}
run: cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"

- name: Verify signed chart with cosign
if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.push.outputs.digest }}
run: |
cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
--rekor-url "https://rekor.sigstore.dev/" \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
Expand Down

0 comments on commit 99207f4

Please sign in to comment.