add tag signing #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Image CI | |
on: | |
push: | |
branches: [ main, kwasm-lifecycle-manager ] | |
tags: [ '*' ] | |
pull_request: | |
branches: [ main ] | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
jobs: | |
buildx: | |
runs-on: ubuntu-latest | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
packages: write | |
repository-projects: write | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- # Set up QEMU | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@v1 | |
- # Setup Docker buildx | |
name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2 | |
- # Install cosign | |
name: Install Cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.2.0 | |
- # Login into registry | |
name: Login to GitHub Container Registry | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- | |
name: Build and push Docker image | |
uses: docker/build-push-action@v5 | |
id: build-tagged | |
with: | |
push: ${{ github.event_name != 'pull_request' }} | |
platforms: linux/amd64,linux/arm64 | |
labels: ${{ steps.meta.outputs.labels }} | |
file: Dockerfile | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
tags: | | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | |
${{ steps.meta.outputs.tags }} | |
- | |
name: Sign the image with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature kwasm.sig \ | |
-a ${{ steps.meta.outputs.tags }} \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }} | |
- | |
name: prepare assets for upload | |
if: runner.os != 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cat <<EOF > verify.txt | |
cosign verify \\ | |
--signature kwasm.sig --certificate crt.pem \\ | |
--certificate-identity https://github.com/${{ github.workflow_ref }} \\ | |
--certificate-oidc-issuer https://token.actions.githubusercontent.com \\ | |
--certificate-github-workflow-sha ${{ github.workflow_sha }} \\ | |
--certificate-github-workflow-repository voigt/kwasm-operator \\ | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }} | |
EOF | |
cp crt.pem kwasm.sig verify.txt _dist/ | |
- | |
name: upload binary as GitHub artifact | |
if: runner.os != 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kwasm | |
path: _dist/ | |
- | |
name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
- | |
name: Install Helm | |
uses: azure/setup-helm@v3 | |
with: | |
version: v3.10.0 | |
- | |
name: Run chart-releaser | |
if: github.ref == 'refs/heads/main' | |
uses: helm/[email protected] | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |