Skip to content

Commit

Permalink
Cosign signature setup for release and docker image in CI (bitnami-la…
Browse files Browse the repository at this point in the history 
…bs#810)

* Add cosign signature to GoReleaser

* Add cosign signature to Docker image (on registry)

* make the requested changes

* Update .github/workflows/release.yaml

Co-authored-by: Alfredo Garcia <algarcia@vmware.com>

Co-authored-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Co-authored-by: Alfredo Garcia <algarcia@vmware.com>
  • Loading branch information
@JeNeComprendPas @alvneiayu @agarcia-oss
3 people authored May 5, 2022
1 parent 149b231 commit c82bb37
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
17 changes: 16 additions & 1 deletion .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,14 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

# Setup Cosign
- name: Install Cosign
uses: sigstore/cosign-installer@v2.3.0
- name: Write Cosign key
run: echo "$COSIGN_KEY" > /tmp/cosign.key
env:
COSIGN_KEY: ${{ secrets.COSIGN_KEY }}

# Build & Release binaries
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
Expand All @@ -53,6 +61,7 @@ jobs:
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

# Build & Publish multi-arch image
- name: Login to Docker Hub
Expand All @@ -68,4 +77,10 @@ jobs:
platforms: linux/amd64,linux/arm64,linux/arm
push: true
tags: ${{ env.image_name }}:latest,${{ env.image_name }}:${{ github.ref_name }}

- name: Sign image with a key
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key $TAG_LATEST $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_LATEST: ${{ env.image_name }}:latest
TAG_CURRENT: ${{ env.image_name }}:${{ github.ref_name }}
10 changes: 10 additions & 0 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,16 @@ changelog:
- '^helm:'
- '^integration:'
- '^vendor_jsonnet:'
signs:
- cmd: cosign
stdin: '{{ .Env.COSIGN_PASSWORD }}'
output: true
artifacts: all
args:
- 'sign-blob'
- '--key=/tmp/cosign.key'
- '--output-signature=${signature}'
- '${artifact}'
release:
name_template: "{{ .ProjectName }}-v{{ .Version }}"
header: |
Expand Down

0 comments on commit c82bb37

Please sign in to comment.