Skip to content

Sign container images #377

Sign container images

Sign container images #377

Workflow file for this run

name: Sign container images
on:
workflow_run:
workflows: ["Build and push multi-arch images"]
types:
- completed
workflow_dispatch:
jobs:
sign:
name: Create attestation
runs-on: ubuntu-latest
strategy:
matrix:
version: ['3.2', '3.3']
permissions:
packages: write
id-token: write
steps:
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@v3.4.0
- uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
id: syft
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::172025368201:role/github_action_image_attestation"
role-session-name: sign-govuk-ruby-images
aws-region: eu-west-1
- name: Create attestation
run: |
BASE_IMAGE='ghcr.io/alphagov/govuk-ruby-base:${{ matrix.version }}'
BUILDER_IMAGE='ghcr.io/alphagov/govuk-ruby-builder:${{ matrix.version }}'
SYFT='${{steps.syft.outputs.cmd }}'
$SYFT --output spdx-json "${BASE_IMAGE}" > base.spdx.json
$SYFT --output spdx-json "${BUILDER_IMAGE}" > builder.spdx.json
cosign attest -y --type spdxjson --predicate base.spdx.json --key "awskms:///alias/container-signing-key" "${BASE_IMAGE}"
cosign attest -y --type spdxjson --predicate builder.spdx.json --key "awskms:///alias/container-signing-key" "${BUILDER_IMAGE}"