add cosign for image signing #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image CI | |
| on: | |
| push: | |
| branches: [ main, kwasm-lifecycle-manager ] | |
| tags: [ '*' ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| buildx: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # cosign uses the GitHub OIDC token | |
| id-token: write | |
| # needed to upload artifacts to a GH release | |
| contents: write | |
| packages: write | |
| repository-projects: write | |
| steps: | |
| - # Checkout Repository | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - # Set up QEMU | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@v1 | |
| - # Setup Docker buildx | |
| name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - # Install cosign | |
| name: Install Cosign | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: v2.2.0 | |
| - # Login into registry | |
| name: Login to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - # Extract Docker metadata | |
| name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| - # Build and push to GHCR Registry | |
| name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| id: build-tagged | |
| with: | |
| push: ${{ github.event_name != 'pull_request' }} | |
| platforms: linux/amd64,linux/arm64 | |
| labels: ${{ steps.meta.outputs.labels }} | |
| file: Dockerfile | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| tags: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | |
| ${{ steps.meta.outputs.tags }} | |
| - # Keyless signing of Image with Cosign | |
| name: Sign the image with GitHub OIDC token | |
| shell: bash | |
| run: | | |
| cosign sign \ | |
| --yes \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }} | |
| - # Prepare verification assets | |
| name: Prepare assets for upload | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: | | |
| mkdir _dist | |
| cat <<EOF > verify.txt | |
| cosign verify \\ | |
| --certificate-identity https://github.com/${{ github.workflow_ref }} \\ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \\ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:@${{ steps.build-tagged.outputs.digest }} | |
| EOF | |
| cp verify.txt _dist/ | |
| - # Upload verification assets | |
| name: upload binary as GitHub artifact | |
| if: runner.os != 'Windows' | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kwasm | |
| path: _dist/ | |
| - # Configure Git | |
| name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - # Install Helm | |
| name: Install Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| version: v3.10.0 | |
| - # Run chart-releaser | |
| name: Run chart-releaser | |
| if: github.ref == 'refs/heads/main' | |
| uses: helm/[email protected] | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |