Skip to content

Commit

Permalink
ci(release): add oci artifact signature with cosign
Browse files Browse the repository at this point in the history
Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>
  • Loading branch information
maxgio92 authored and poiana committed Jul 18, 2023
1 parent 49ade64 commit 72dbc30
Showing 1 changed file with 29 additions and 6 deletions.
35 changes: 29 additions & 6 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,42 +9,65 @@ on:
jobs:
release-rulesfile:
runs-on: ubuntu-latest

env:
RULES_FILE: falco_rules.yaml

OCI_REGISTRY: ghcr.io
ARTIFACT_NAME: falco-rules

AWS_S3_BUCKET: falco-distribution
AWS_S3_PREFIX: rules
AWS_S3_REGION: eu-west-1

# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
id-token: write
contents: read
packages: write

steps:

# Get rules repository
- name: Checkout Rules
uses: actions/checkout@v3

# Get registry artifact tool
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '^1.19'

go-version-file: build/registry/go.mod
- name: Build registry artifact tool
working-directory: build/registry
run: go build -o rules-registry ./...

- name: Get lowercase OCI repo prefix
run: |
echo "OCI_REPO_PREFIX=ghcr.io/${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: Upload OCI artifacts to GitHub packages
id: oci_build
env:
REGISTRY_USER: ${{ github.repository_owner }}
REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git

# uses OCI_REPO_PREFIX environment variable
run: build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
run: >-
echo "::set-output name=ARTIFACT_DIGEST::$(
build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
)"
- run: "echo ${{ steps.oci_build.outputs.ARTIFACT_DIGEST }}"

# Create a signature of the rules artifact as OCI artifact
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v2.0.2'
- run: cosign version
- name: Sign the images with GitHub OIDC Token
env:
# Add support for OCI v1.1
COSIGN_EXPERIMENTAL: 1
run: cosign sign --yes ${OCI_REGISTRY}/${{ github.repository }}/${ARTIFACT_NAME}@${{ steps.oci_build.outputs.ARTIFACT_DIGEST }}

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
Expand Down

0 comments on commit 72dbc30

Please sign in to comment.