Skip to content

Commit 4863458

Browse files
committed
feat: add cosign to sign the images
Using the output from the bake action we sign every tag plus the specific sha256 using cosign Closes #136
1 parent c330729 commit 4863458

File tree

1 file changed

+17
-0
lines changed

1 file changed

+17
-0
lines changed

.github/workflows/bake.yaml

+17
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ on:
1212
- production
1313
default: testing
1414
description: "Choose the environment to bake the images for"
15+
target:
16+
type: string
17+
default: ""
18+
description: "The target to build the image for comma separated list of targets"
1519

1620
jobs:
1721
# Start by building images for testing. We want to run security checks before pushing those to production.
@@ -22,6 +26,7 @@ jobs:
2226
contents: read
2327
packages: write
2428
security-events: write
29+
id-token: write
2530
outputs:
2631
metadata: ${{ steps.build.outputs.metadata }}
2732
images: ${{ steps.images.outputs.images }}
@@ -55,13 +60,25 @@ jobs:
5560
revision: ${{ github.sha }}
5661
with:
5762
push: true
63+
targets: ${{ github.event.inputs.target }}
5864

5965
# Get a list of the images that were built and pushed. We only care about a single tag for each image.
6066
- name: Generated images
6167
id: images
6268
run: |
6369
echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >> "$GITHUB_OUTPUT"
6470
71+
# Even if we're testing we sign the images, so we can push them to production later if that's required
72+
- name: Install cosign
73+
uses: sigstore/cosign-installer@v3
74+
- name: Check Cosign install
75+
run: cosign version
76+
- name: Sign images using Cosing
77+
run: |
78+
images=""
79+
images=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[] | "\(.["image.name"]) \(.["containerimage.digest"])"' | awk -F' ' '{split($1, a, ","); for(i in a) print a[i] "@" $2}' | tr '\n' ' ')
80+
cosign sign --yes ${images}
81+
6582
security:
6683
name: Security checks
6784
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)