From e23c0727c7dd8532caba126d92cf724ab651d9ba Mon Sep 17 00:00:00 2001 From: David Collom Date: Tue, 29 Apr 2025 11:23:39 +0100 Subject: [PATCH 1/3] Sign container images --- .github/workflows/release.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 25c546e4..3979c1b0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,6 +6,8 @@ on: - "release-v*" tags: - "v*" + # TODO: Added for testing.... + workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -164,6 +166,13 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: "v2.2.4" + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -180,6 +189,7 @@ jobs: password: ${{ secrets.QUAY_ROBOT_TOKEN }} - name: Build and push (if applicable) + id: build-and-push uses: docker/build-push-action@v6 with: context: . @@ -193,6 +203,21 @@ jobs: type=sbom type=provenance,mode=max + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ startsWith(github.ref, 'refs/tags/') }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + github-release: name: Create/Update GitHub Release permissions: From ed698a7aa3ba682ab7221811e90f6a843430dbe8 Mon Sep 17 00:00:00 2001 From: David Collom Date: Tue, 29 Apr 2025 11:24:07 +0100 Subject: [PATCH 2/3] Sign helmchart artifacts --- .github/workflows/release.yaml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3979c1b0..db79493b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -122,6 +122,9 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Cosign + uses: sigstore/cosign-installer@main + - name: checkout jetstack-charts uses: actions/checkout@v4 with: @@ -130,16 +133,22 @@ jobs: ref: main path: jetstack-charts - - uses: azure/setup-helm@v4 + - name: Setup Helm + uses: azure/setup-helm@v4 with: token: ${{ github.token }} + - name: Login to Quay.io + run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin + - name: package helm chart run: | helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/ - - name: Login to Quay.io - run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin + - name: Sign Helm Chart + run: | + cosign sign-blob -y jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz \ + --bundle jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz.cosign.bundle - name: Creating PR if: startsWith(github.ref, 'refs/tags/') @@ -150,7 +159,9 @@ jobs: commit-message: "Release version-checker ${{github.ref_name }}" branch: version-checker/${{github.ref_name}} path: jetstack-charts - add-paths: charts/*.tgz + add-paths: | + charts/*.tgz + charts/*.tgz.cosign.bundle delete-branch: true signoff: true base: main From 9fa4359d5c211e88acc5194521c74a6ce499e649 Mon Sep 17 00:00:00 2001 From: David Collom Date: Tue, 29 Apr 2025 11:33:08 +0100 Subject: [PATCH 3/3] Allow for id-token permissions --- .github/workflows/release.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index db79493b..d00d4848 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,8 +6,6 @@ on: - "release-v*" tags: - "v*" - # TODO: Added for testing.... - workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -25,6 +23,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Golang uses: actions/setup-go@v5 with: @@ -118,6 +117,8 @@ jobs: helm-release: runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -173,6 +174,8 @@ jobs: docker-release: runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7