From be314a90e88238da91858c5574bad1ae33c9b985 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 30 May 2024 16:10:51 +0900 Subject: [PATCH] Test attestation --- .github/workflows/images_build.yml | 36 ++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 500ba57b0..b928551a3 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -270,6 +270,22 @@ jobs: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + image: tonistiigi/binfmt:latest + platforms: all + - name: Set up QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: @@ -379,6 +395,26 @@ jobs: cache-from: ${{ steps.cache_data.outputs.cache_from }} cache-to: ${{ steps.cache_data.outputs.cache_to }} + - name: Sign the images with GitHub OIDC Token + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} id: attest