Skip to content

Sign container images #11

Sign container images

Sign container images #11

Workflow file for this run

name: Sign container images
on:
workflow_run:
workflows: ["Build and push images"]
types:
- completed
workflow_dispatch:
jobs:
sign:
name: Create attestation
runs-on: ubuntu-22.04
strategy:
matrix:
version: ['3.1', '3.2', '3.3']
permissions:
packages: write
steps:
- name: Login to GHCR
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/[email protected]
- uses: anchore/sbom-action/download-syft@v0
id: syft
- name: Configure AWS credentials
uses: aws-actions/[email protected]
with:
# TODO: Remove long-lived keys and switch to OIDC once https://github.com/github/roadmap/issues/249 lands.
aws-access-key-id: ${{ secrets.AWS_GOVUK_ECR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_GOVUK_ECR_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
- name: Create attestation
run: |
BASE_IMAGE='ghcr.io/alphagov/govuk-ruby-base:${{ matrix.version }}'
BUILDER_IMAGE='ghcr.io/alphagov/govuk-ruby-builder:${{ matrix.version }}'
SYFT='${{steps.syft.outputs.cmd }}'
$SYFT --output spdx-json "${BASE_IMAGE}" > base.spdx.json
$SYFT --output spdx-json "${BUILDER_IMAGE}" > builder.spdx.json
cosign attest -y --predicate base.spdx.json --key "awskms:///alias/container-signing-key" "${BASE_IMAGE}"
cosign attest -y --predicate builder.spdx.json --key "awskms:///alias/container-signing-key" "${BUILDER_IMAGE}"