ci: Use cosign to sign container images.

This commit adds cosign to the CI pipeline. cosign is an open-source tool developed by Chainguard that signs container images, allowing other users to cryptographically verify the origin of container images. [1] cosign has different operating modes. This commit utilizes Chainguard's signing infrastructure via "keyless signing". [2] Keyless signing makes image signing easy for open-source projects because Chainguard operates the signing infrastructure on behalf of others. Note: This commit is based on work by Chris Nesbitt-Smith, who published an example GitHub Actions workflow for running cosign. [3] References 1. https://docs.sigstore.dev/signing/quickstart 2. https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/#keyless-signing 3. https://github.com/chrisns/cosign-keyless-demo/blob/f35f6c776f/.github/workflows/ci.yml
metal-toolbox · Dec 8, 2023 · 45ec878 · 45ec878
1 parent fd28c0a
commit 45ec878
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,10 +1,8 @@
 
 name: Create and publish a api image
 
-on:
-  push:
-    tags:
-      - v**
+on: push
+
 env:
   REGISTRY: ghcr.io/metal-toolbox
   API_IMAGE_NAME: audito-maldito/audito-maldito
@@ -41,6 +39,8 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: sigstore/cosign-installer@main
+
       - name: Get current date
         id: date
         run: echo "::set-output name=date::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
@@ -52,6 +52,7 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
 
       - name: Build rsyslog and push Docker image
+        id: rsyslog-build-push
         uses: docker/build-push-action@fdf7f43ecf7c1a5c7afe936410233728a8c2d9c2
         with:
           context: "./contrib/rsyslog"
@@ -60,10 +61,19 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:${{ github.ref_name }}-rsyslog
           labels: ${{ steps.meta-api.outputs.labels }}
 
+      - run: cosign sign -y -r ${TAGS}
+        env:
+          TAGS: ${{needs.rsyslog-build-push.outputs.tags}}
+
       - name: Build and push Docker image
+        id: am-build-push
         uses: docker/build-push-action@fdf7f43ecf7c1a5c7afe936410233728a8c2d9c2
         with:
           push: true
           file: Dockerfile
           tags: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:${{ github.ref_name }}
-          labels: ${{ steps.meta-api.outputs.labels }}
+          labels: ${{ steps.meta-api.outputs.labels }}
+
+      - run: cosign sign -y -r ${TAGS}
+        env:
+          TAGS: ${{needs.am-build-push.outputs.tags}}