Skip to content

Commit b5fae4f

Browse files
committed
feat: add cosign to sign the images
Using the output from the bake action we sign every tag plus the specific sha256 using cosign Closes #136 Signed-off-by: Jonathan Gonzalez V <[email protected]>
1 parent c330729 commit b5fae4f

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed

.github/workflows/bake.yaml

+16
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ on:
1212
- production
1313
default: testing
1414
description: "Choose the environment to bake the images for"
15+
target:
16+
type: string
17+
default: ""
18+
description: "The target to build the image for comma separated list of targets"
1519

1620
jobs:
1721
# Start by building images for testing. We want to run security checks before pushing those to production.
@@ -55,13 +59,25 @@ jobs:
5559
revision: ${{ github.sha }}
5660
with:
5761
push: true
62+
targets: ${{ github.event.inputs.target }}
5863

5964
# Get a list of the images that were built and pushed. We only care about a single tag for each image.
6065
- name: Generated images
6166
id: images
6267
run: |
6368
echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >> "$GITHUB_OUTPUT"
6469
70+
# Even if we're testing we sign the images, so we can push them to production later if that's required
71+
- name: Install cosign
72+
uses: sigstore/cosign-installer@v3
73+
- name: Check Cosign install
74+
run: cosign version
75+
- name: Sign images using Cosing
76+
run: |
77+
images=""
78+
images=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[] | "\(.["image.name"]) \(.["containerimage.digest"])"' | awk -F' ' '{split($1, a, ","); for(i in a) print a[i] "@" $2}' | tr '\n' ' ')
79+
cosign sign --key github://cloudnative-pg/postgres-containers --yes ${images}
80+
6581
security:
6682
name: Security checks
6783
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)