ci: sign images

Signed-off-by: Moritz Wanzenböck <[email protected]>
piraeusdatastore · Jul 3, 2024 · d5acabf · d5acabf
1 parent be4b964
commit d5acabf
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml
@@ -23,6 +23,9 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
+      - name: Set up cosign
+        uses: sigstore/cosign-installer@v3
+        # if: ${{ github.event_name != 'pull_request' }}
       - name: login to Docker Hub
         if: ${{ github.event_name != 'pull_request' }}
         uses: docker/login-action@v3
@@ -36,14 +39,28 @@ jobs:
           registry: quay.io
           username: ${{ secrets.QUAYIO_USERNAME }}
           password: ${{ secrets.QUAYIO_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push
         uses: docker/bake-action@v5
+        id: bake
         with:
           builder: ${{ steps.buildx.outputs.name }}
           workdir: dockerfiles
           provenance: true
           sbom: true
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
+          targets: ktls-utils
         env:
           GIT_COMMIT: ${{ github.sha }}
           CACHE: true
+          REGISTRIES: ghcr.io/piraeusdatastore
+      - name: Sign images
+        run: |
+          jq '.[] | ."containerimage.digest" as $DIGEST | ."image.name" | split(",")[] | "\(.)@\($DIGEST)"' -r <<<'${{ steps.bake.outputs.metadata }}' \
+            | xargs cosign sign --yes
diff --git a/dockerfiles/docker-bake.hcl b/dockerfiles/docker-bake.hcl
@@ -25,10 +25,7 @@ variable VERSIONS {
 }
 
 variable "REGISTRIES" {
-  default = [
-    "quay.io/piraeusdatastore",
-    "docker.io/piraeusdatastore",
-  ]
+  default = "quay.io/piraeusdatastore,docker.io/piraeusdatastore"
 }
 
 # Replace all characters that are not supported in a target name with "-".
@@ -41,7 +38,7 @@ function "escape" {
 function "tags" {
   params = [name, version]
   result = flatten([
-    for registry in REGISTRIES :
+    for registry in split(",", REGISTRIES) :
     [
       // Full version
       "${registry}/${name}:v${version}",

diff --git a/dockerfiles/drbd-driver-loader/Dockerfile.centos7 b/dockerfiles/drbd-driver-loader/Dockerfile.centos7
@@ -1,7 +1,8 @@
 FROM centos:centos7
 MAINTAINER Roland Kammerer <[email protected]>
 
-RUN yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && \
+RUN sed -e 's/^mirrorlist=/#mirrorlist=/' -e 's%^#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%' -i /etc/yum.repos.d/*.repo && \
+    yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && \
 	yum install -y gcc make patch diffutils perl kmod && yum clean all -y
 
 ARG DRBD_VERSION