From e630876ccd2d41682c48122d47670986958eec27 Mon Sep 17 00:00:00 2001 From: Matthew James Briggs Date: Mon, 23 Mar 2026 14:15:09 +0100 Subject: [PATCH] chore(ci): sign container images Add a ddsign invocation to internal docker build workflows to sign the images. --- .gitlab/internal.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.gitlab/internal.yml b/.gitlab/internal.yml index be11e2459a..18ff34a791 100644 --- a/.gitlab/internal.yml +++ b/.gitlab/internal.yml @@ -1,6 +1,9 @@ generate-build-ci-image: stage: internal image: ${DOCKER_BUILD_IMAGE} + id_tokens: + DDSIGN_ID_TOKEN: + aud: image-integrity needs: [] rules: - if: $CI_PIPELINE_SOURCE == "web" @@ -26,12 +29,18 @@ generate-build-ci-image: --build-arg DD_AGENT_IMAGE=registry.datadoghq.com/agent:latest-jmx --squash --push + --metadata-file ./build-ci-metadata --file .ci/images/build/Dockerfile . + - ddsign sign ${SALUKI_IMAGE_REPO_BASE}/build-ci:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA} + --docker-metadata-file ./build-ci-metadata generate-general-ci-image: stage: internal image: ${DOCKER_BUILD_IMAGE} + id_tokens: + DDSIGN_ID_TOKEN: + aud: image-integrity needs: [] rules: - if: $CI_PIPELINE_SOURCE == "web" @@ -51,12 +60,18 @@ generate-general-ci-image: --label ci.job_id=${CI_JOB_ID} --squash --push + --metadata-file ./general-ci-metadata --file .ci/images/general/Dockerfile . + - ddsign sign ${SALUKI_IMAGE_REPO_BASE}/general-ci:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA} + --docker-metadata-file ./general-ci-metadata generate-smp-ci-image: stage: internal image: ${DOCKER_BUILD_IMAGE} + id_tokens: + DDSIGN_ID_TOKEN: + aud: image-integrity needs: [] rules: - if: $CI_PIPELINE_SOURCE == "web" @@ -76,5 +91,8 @@ generate-smp-ci-image: --label ci.job_id=${CI_JOB_ID} --squash --push + --metadata-file ./smp-ci-metadata --file .ci/images/smp/Dockerfile . + - ddsign sign ${SALUKI_IMAGE_REPO_BASE}/smp-ci:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA} + --docker-metadata-file ./smp-ci-metadata