From a2b3d1bc689d5ade9177598d58b8e16d190714ca Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Sun, 15 Dec 2024 16:35:43 +0100 Subject: [PATCH] fix: signing Signed-off-by: Bence Csati --- .github/workflows/artifacts.yaml | 46 +++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index a5bc348..d129fa1 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -124,10 +124,24 @@ jobs: TAGS: ${{ steps.meta.outputs.tags }} run: | images="" - for tag in ${TAGS}; do + for tag in ${TAGS[@]}; do images+="${tag}@${DIGEST} " done - cosign sign --yes ${images} + + cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images} + + - name: Verify signed image with cosign + if: ${{ inputs.publish && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization + env: + DIGEST: ${{ steps.build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + for tag in ${TAGS[@]}; do + cosign verify "${tag}@${DIGEST}" \ + --rekor-url "https://rekor.sigstore.dev/" \ + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq + done - name: Set image ref id: image-ref @@ -239,13 +253,6 @@ jobs: helm package deploy/charts/${{ steps.chart-name.outputs.value }} --version ${{ steps.version.outputs.value }} --app-version ${{ steps.raw-version.outputs.value }} echo "package=${{ steps.chart-name.outputs.value }}-${{ steps.version.outputs.value }}.tgz" >> "$GITHUB_OUTPUT" - - name: Sign chart with GitHub OIDC Token - if: ${{ inputs.publish && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization - env: - PACKAGE: ${{ steps.build.outputs.package }} - run: | - cosign sign-blob --yes $PACKAGE - - name: Upload chart as artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: @@ -261,11 +268,30 @@ jobs: if: inputs.publish && inputs.release - name: Helm push - run: helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} + id: push + run: | + helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} &> push-metadata.txt + echo "digest=$(awk '/Digest: /{print $2}' push-metadata.txt)" >> "$GITHUB_OUTPUT" env: HELM_REGISTRY_CONFIG: ~/.docker/config.json if: inputs.publish && inputs.release + - name: Sign chart with GitHub OIDC Token + if: ${{ inputs.publish && inputs.release && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization + env: + DIGEST: ${{ steps.push.outputs.digest }} + run: cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" + + - name: Verify signed chart with cosign + if: ${{ inputs.publish && inputs.release && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization + env: + DIGEST: ${{ steps.push.outputs.digest }} + run: | + cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \ + --rekor-url "https://rekor.sigstore.dev/" \ + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq + - name: Upload package as artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: