From 15abef1b820581a1511192be3afef9bea61ab74e Mon Sep 17 00:00:00 2001 From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com> Date: Sat, 21 Dec 2024 23:49:30 +0000 Subject: [PATCH] Update push-docker.yml --- .github/workflows/push-docker.yml | 55 +++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml index 45907e7475d..0d0d3ce193f 100644 --- a/.github/workflows/push-docker.yml +++ b/.github/workflows/push-docker.yml @@ -10,6 +10,7 @@ on: permissions: contents: read packages: write + id-token: write jobs: push: @@ -37,6 +38,11 @@ jobs: env: DOCKER_ENABLE_SECURITY: false + - name: Install cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 @@ -80,6 +86,7 @@ jobs: type=raw,value=alpha,enable=${{ github.ref == 'refs/heads/main' }} - name: Build and push main Dockerfile + id: build-push-regular uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: builder: ${{ steps.buildx.outputs.name }} @@ -92,6 +99,28 @@ jobs: labels: ${{ steps.meta.outputs.labels }} build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }} platforms: linux/amd64,linux/arm64/v8 + provenance: true + sbom: true + + - name: Sign regular images + env: + DIGEST: ${{ steps.build-push-regular.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + # Always sign images regardless of branch + echo "$TAGS" | tr ',' '\n' | while read -r tag; do + cosign sign --yes "${tag}@${DIGEST}" + done + + # For alpha builds specifically, we want to ensure they're marked as development builds + if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then + echo "Signing alpha build with development attestation" + echo "$TAGS" | tr ',' '\n' | while read -r tag; do + if [[ $tag == *":alpha" ]]; then + cosign attest --predicate <(echo '{"type":"development"}') --yes "${tag}@${DIGEST}" + fi + done + fi - name: Generate tags ultra-lite id: meta2 @@ -108,6 +137,7 @@ jobs: type=raw,value=latest-ultra-lite,enable=${{ github.ref == 'refs/heads/master' }} - name: Build and push Dockerfile-ultra-lite + id: build-push-lite uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 if: github.ref != 'refs/heads/main' with: @@ -120,6 +150,18 @@ jobs: labels: ${{ steps.meta2.outputs.labels }} build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }} platforms: linux/amd64,linux/arm64/v8 + provenance: true + sbom: true + + - name: Sign ultra-lite images + if: github.ref != 'refs/heads/main' + env: + DIGEST: ${{ steps.build-push-lite.outputs.digest }} + TAGS: ${{ steps.meta2.outputs.tags }} + run: | + echo "$TAGS" | tr ',' '\n' | while read -r tag; do + cosign sign --yes "${tag}@${DIGEST}" + done - name: Generate tags fat id: meta3 @@ -136,6 +178,7 @@ jobs: type=raw,value=latest-fat,enable=${{ github.ref == 'refs/heads/master' }} - name: Build and push main Dockerfile fat + id: build-push-fat uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 if: github.ref != 'refs/heads/main' with: @@ -149,3 +192,15 @@ jobs: labels: ${{ steps.meta3.outputs.labels }} build-args: VERSION_TAG=${{ steps.versionNumber.outputs.versionNumber }} platforms: linux/amd64,linux/arm64/v8 + provenance: true + sbom: true + + - name: Sign fat images + if: github.ref != 'refs/heads/main' + env: + DIGEST: ${{ steps.build-push-fat.outputs.digest }} + TAGS: ${{ steps.meta3.outputs.tags }} + run: | + echo "$TAGS" | tr ',' '\n' | while read -r tag; do + cosign sign --yes "${tag}@${DIGEST}" + done