From 60d206d0900a9e3b4de3779cb2f5277c6304c887 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 09:05:19 -0800 Subject: [PATCH] Have the starter `docker-publish` action sign digests. (#1255) * Have the starter `docker-publish` action sign digests. This change installs `sigstore/cosign` using the `cosign-installer` action, and uses sigstore's "keyless" signing process to sign the resulting image digest using the action's identity token (see: `id-token: write`). Signed-off-by: Matt Moore * Fully qualify the digest, add setup-buildx-action as workaround * Drop --force, add public repo check * Use built-in 'private' bit --- ci/docker-publish.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ab266ef..3b55fce 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -29,11 +29,24 @@ jobs: permissions: contents: read packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Checkout repository uses: actions/checkout@v2 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -55,9 +68,26 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs and private repos + # The keyless signing process records signatures on the Rekor public + # transparency log, so signing is disabled for private repos by default + # to avoid leaking private data. If you wish to sign things anyways, + # then this check can be removed and --force can be added to the cosign + # command below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance, and records it to the + # sigstore community Rekor transparency log. + run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}