Merge remote-tracking branch 'origin/CSPL-2725' into release/2.6.0

splunk · Jul 16, 2024 · a8afe56 · a8afe56
2 parents f687858 + afe85a2
commit a8afe56
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 2 deletions.
diff --git a/.github/workflows/automated-release-workflow.yml b/.github/workflows/automated-release-workflow.yml
@@ -20,6 +20,9 @@ jobs:
       pull-requests: write
     if: github.ref == 'refs/heads/main'
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
+
     - name: Checkout code
       uses: actions/checkout@v2
 
@@ -87,4 +90,18 @@ jobs:
 
     - name: Push Release Image
       run: |
-        docker push splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+        docker push splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+    
+    - name: Sign Splunk Operator image with a key
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+    - name: Verify Splunk Operator image with a key
+      run: |
+        cosign verify --key env://COSIGN_PUBLIC_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+
diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml
@@ -54,6 +54,9 @@ jobs:
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
+
     - uses: actions/checkout@v2
     - name: Dotenv Action
       id: dotenv
@@ -97,6 +100,12 @@ jobs:
       run: |
         echo "Uploading Image to ECR:: ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA"
         make docker-push IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+    - name: Sign Splunk Operator image with a key
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
   vulnerability-scan:
     permissions:
       actions: read
@@ -111,6 +120,8 @@ jobs:
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
     - uses: actions/checkout@v2
     - name: Dotenv Action
       id: dotenv
@@ -129,6 +140,11 @@ jobs:
     - name: Pull Splunk Operator Image Locally
       run: |
         docker pull ${{ env.IMAGE_NAME }}
+    - name: Verify Signed Splunk Operator image 
+      run: |
+        cosign verify --key env://COSIGN_PUBLIC_KEY  ${{ env.IMAGE_NAME }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@master
       with:

diff --git a/.github/workflows/nightly-int-test-workflow.yml b/.github/workflows/nightly-int-test-workflow.yml
@@ -207,6 +207,8 @@ jobs:
       SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
       TAG: edge
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
     - uses: actions/checkout@v2
       with:
           ref: develop
@@ -235,4 +237,16 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PUSH_TOKEN}}
     - name: Push Splunk Operator Image to Docker Hub
-      run: docker push ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ env.TAG }}
+      run: docker push ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ env.TAG }}
+    - name: Sign Splunk Operator image with a key
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+    - name: Verify Signed Splunk Operator image 
+      run: |
+        cosign verify --key env://COSIGN_PUBLIC_KEY  ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+