fix(cicd): change to oidc siginging

flxbl-io · Mar 2, 2024 · 66328a2 · 66328a2
1 parent 489fe3b
commit 66328a2
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 24 deletions.
diff --git a/.github/workflows/sfp-build-docker.yml b/.github/workflows/sfp-build-docker.yml
@@ -33,6 +33,11 @@ jobs:
     name: 'build docker image'
     environment: ${{ inputs.job-environment }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write 
+
     steps:
 
     - uses: actions/checkout@v2
@@ -41,7 +46,7 @@ jobs:
 
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v3
 
 
     - name: Login to GitHub Container Registry
@@ -56,7 +61,7 @@ jobs:
     # https://github.com/docker/metadata-action
     - name: Extract Docker metadata
       id: meta
-      uses: docker/metadata-action@v3
+      uses: docker/metadata-action@v4.4.0
       with:
           images:  ghcr.io/${{ inputs.repo }}/${{ inputs.image }}
 
@@ -72,7 +77,7 @@ jobs:
 
     - name: Build and push
       id: docker_build
-      uses: docker/build-push-action@v2
+      uses: docker/build-push-action@v5
       with:
           file: dockerfiles/${{inputs.dockerFileName}}.Dockerfile
           context: dockerfiles
@@ -85,6 +90,17 @@ jobs:
                   GIT_COMMIT=${{ github.sha}}
 
 
+    - name: Sign the images with GitHub OIDC Token
+      env:
+         DIGEST: ${{ steps.docker_build.outputs.digest }}
+         TAGS:  ghcr.io/${{ inputs.repo }}/${{ inputs.image }}:${{ env.PKG_VERSION }}-${{ inputs.suffix-tag }}
+      run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
    #Tag the image as develop
     - name: 'Tag Docker'
       uses: ./.github/actions/tagDocker

diff --git a/.github/workflows/sfp-copy-docker.yml b/.github/workflows/sfp-copy-docker.yml
@@ -30,7 +30,7 @@ on:
           required: true
 jobs:
 
-  build:
+  copy:
     name: 'copy rc docker image to production'
     environment: ${{ inputs.job-environment }}
     runs-on: ubuntu-latest
@@ -40,17 +40,6 @@ jobs:
       with:
         fetch-depth: 0
 
-    # Install the cosign tool except on PR
-    # https://github.com/sigstore/cosign-installer
-    - name: Install cosign
-      uses: sigstore/cosign-installer@main
-      with:
-        cosign-release: 'v1.7.1'
-
-    - name: Write signing key to disk (only needed for `cosign sign --key`)
-      run: echo "${{ secrets.signing_secret }}" > cosign.key
-
-
     - name: 'Get package version'
       run: |
          echo "PKG_VERSION=$(jq -r ".version" packages/sfp-cli/package.json)" >> $GITHUB_ENV
@@ -79,15 +68,7 @@ jobs:
          username:  ${{ env.DOCKER_USERNAME }}
          token: ${{ env.DOCKER_TOKEN }}
 
-    - name: Sign the published Docker image
-      run: | 
-          cosign sign --key cosign.key \
-            -a "repo=${{ github.repository }}" \
-            -a "workflow=${{ github.workflow }}" \
-            -a "ref=${{ github.sha }}" \
-             ghcr.io/${{ inputs.repo }}/${{ inputs.image-as }}:${{ env.PKG_VERSION }}-${{ github.run_id }}
-      env:
-       COSIGN_PASSWORD: ${{ secrets.cosign_password }}
+
 
     - name: 'Tag Docker'
       uses: ./.github/actions/tagDocker