From 66328a2412732aaa00052ba8401cdf523b7daba3 Mon Sep 17 00:00:00 2001 From: azlam-abdulsalam Date: Sat, 2 Mar 2024 11:19:17 +1100 Subject: [PATCH] fix(cicd): change to oidc siginging --- .github/workflows/sfp-build-docker.yml | 22 +++++++++++++++++++--- .github/workflows/sfp-copy-docker.yml | 23 ++--------------------- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/.github/workflows/sfp-build-docker.yml b/.github/workflows/sfp-build-docker.yml index 798ea4154..ab147b9c3 100644 --- a/.github/workflows/sfp-build-docker.yml +++ b/.github/workflows/sfp-build-docker.yml @@ -33,6 +33,11 @@ jobs: name: 'build docker image' environment: ${{ inputs.job-environment }} runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + steps: - uses: actions/checkout@v2 @@ -41,7 +46,7 @@ jobs: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry @@ -56,7 +61,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v4.4.0 with: images: ghcr.io/${{ inputs.repo }}/${{ inputs.image }} @@ -72,7 +77,7 @@ jobs: - name: Build and push id: docker_build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v5 with: file: dockerfiles/${{inputs.dockerFileName}}.Dockerfile context: dockerfiles @@ -85,6 +90,17 @@ jobs: GIT_COMMIT=${{ github.sha}} + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ghcr.io/${{ inputs.repo }}/${{ inputs.image }}:${{ env.PKG_VERSION }}-${{ inputs.suffix-tag }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + #Tag the image as develop - name: 'Tag Docker' uses: ./.github/actions/tagDocker diff --git a/.github/workflows/sfp-copy-docker.yml b/.github/workflows/sfp-copy-docker.yml index 3f73e22cb..c7a11e745 100644 --- a/.github/workflows/sfp-copy-docker.yml +++ b/.github/workflows/sfp-copy-docker.yml @@ -30,7 +30,7 @@ on: required: true jobs: - build: + copy: name: 'copy rc docker image to production' environment: ${{ inputs.job-environment }} runs-on: ubuntu-latest @@ -40,17 +40,6 @@ jobs: with: fetch-depth: 0 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.7.1' - - - name: Write signing key to disk (only needed for `cosign sign --key`) - run: echo "${{ secrets.signing_secret }}" > cosign.key - - - name: 'Get package version' run: | echo "PKG_VERSION=$(jq -r ".version" packages/sfp-cli/package.json)" >> $GITHUB_ENV @@ -79,15 +68,7 @@ jobs: username: ${{ env.DOCKER_USERNAME }} token: ${{ env.DOCKER_TOKEN }} - - name: Sign the published Docker image - run: | - cosign sign --key cosign.key \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ghcr.io/${{ inputs.repo }}/${{ inputs.image-as }}:${{ env.PKG_VERSION }}-${{ github.run_id }} - env: - COSIGN_PASSWORD: ${{ secrets.cosign_password }} + - name: 'Tag Docker' uses: ./.github/actions/tagDocker