Merge branch 'sigstore_docker' into development

2022-12-08 10:45:30 +01:00 · 2022-12-08 10:45:30 +01:00 · a141eccfa1
commit a141eccfa1
parent 04dbfb9d31 4c8b1f973e
1 changed files with 36 additions and 1 deletions
--- a/.github/workflows/buildReporting.yml
+++ b/.github/workflows/buildReporting.yml
@ -102,6 +102,13 @@ jobs:
    # Run only on tagging
    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+      
    steps:
    -
      name: Set env
@ -126,11 +133,26 @@ jobs:
    -
      name: Checkout repository
      uses: actions/checkout@v2
+      
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+    -
+      name: Install cosign
+      if: github.event_name != 'pull_request'
+      uses: sigstore/cosign-installer@main
    -
      name: Download a single artifact
      uses: actions/download-artifact@v2
      with:
          name: Package
+    -
+      name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v3
+      with:
+         images: anhefti/seb-server
+         tags: |
+           type=raw,${{ env.TAG_NAME }}
    -
      name: Build and push
      id: docker_build
@ -140,4 +162,17 @@ jobs:
        file: ./docker/Dockerfile
        push: true
        tags: |
-          anhefti/seb-server:${{ env.TAG_NAME }}
+          anhefti/seb-server:${{ env.TAG_NAME }}
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+    - name: Sign the published Docker image
+      if: ${{ github.event_name != 'pull_request' }}
+      # This step uses the identity token to provision an ephemeral certificate
+      # against the sigstore community Fulcio instance.
+      run: cosign sign ${TAGS}
+      env:
+        COSIGN_EXPERIMENTAL: true
+        TAGS: ${{ steps.meta.outputs.tags }}