Skip to content

Commit

Permalink
Sign release images (#468)
Browse files Browse the repository at this point in the history
Signed-off-by: Jose R. Gonzalez <[email protected]>
  • Loading branch information
komish authored Aug 16, 2024
1 parent 851b1aa commit c61501c
Showing 1 changed file with 37 additions and 6 deletions.
43 changes: 37 additions & 6 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,19 @@ on:
# Publish semver tags as releases.
tags: '[0-9]+.[0-9]+.[0-9]+'

env:
IMAGE_NAME: chart-verifier

jobs:
build-and-release:
name: Create GitHub release
runs-on: ubuntu-latest

permissions:
contents: write
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -40,6 +48,11 @@ jobs:
with:
go-version-file: go.mod

- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
with:
cosign-release: 'v2.2.4'

- name: Print tag to GITHUB_OUTPUT
id: get_tag
run: |
Expand Down Expand Up @@ -111,17 +124,35 @@ jobs:
id: build_container_images
run: |
# Build podman images locally
make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }}
make build-image IMAGE_TAG=latest
make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }} IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }}
podman tag \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }} \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Push to quay.io
id: push_to_quay
uses: redhat-actions/push-to-registry@v2
with:
image: chart-verifier
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.get_tag.outputs.release_version }}
latest
registry: quay.io/redhat-certification
${{ steps.get_tag.outputs.release_version }}
registry: ${{ secrets.IMAGE_REGISTRY }}
username: ${{ secrets.QUAY_BOT_USERNAME }}
password: ${{ secrets.QUAY_BOT_TOKEN }}

- name: Sign published image
id: sign-image
run: |
cosign sign \
--yes \
--registry-username ${{ secrets.QUAY_BOT_USERNAME }} \
--registry-password ${{ secrets.QUAY_BOT_TOKEN }} \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push_to_quay.outputs.digest }}
- name: Verify the image signature
run: |
cosign verify \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yaml@refs/tags/${{ steps.get_tag.outputs.release_version }} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }}

0 comments on commit c61501c

Please sign in to comment.