ci: Sign release and containers with Cosign and GitHub OIDC

- Replace the Cosign static key with GitHub Actions OIDC when signing the flagger container image - Sign the GitHub release assets checksums with Cosign keyless - Sign the load-tester container image with Cosign keyless Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · Oct 21, 2022 · a0baeb5 · a0baeb5
1 parent fb66d24
commit a0baeb5
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 81 deletions.
diff --git a/.cosign/README.md b/.cosign/README.md
diff --git a/.cosign/cosign.key b/.cosign/cosign.key
diff --git a/.cosign/cosign.pub b/.cosign/cosign.pub
diff --git a/.github/workflows/push-ld.yml b/.github/workflows/push-ld.yml
@@ -12,9 +12,11 @@ jobs:
   release-load-tester:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       packages: write
     steps:
       - uses: actions/checkout@v2
+      - uses: sigstore/cosign-installer@main
       - name: Prepare
         id: prep
         run: |
@@ -52,6 +54,8 @@ jobs:
             REVISION=${{ github.sha }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Check images
+      - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: 1
         run: |
-          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
       id-token: write # needed for keyless signing
       packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: sigstore/cosign-installer@main
       - name: Prepare
         id: prep
@@ -29,12 +29,12 @@ jobs:
           echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
           echo ::set-output name=VERSION::${VERSION}
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: fluxcdbot
@@ -60,17 +60,10 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
       - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: 1
         run: |
-          echo -n "${{secrets.COSIGN_PASSWORD}}" | \
-          cosign sign -key ./.cosign/cosign.key -a git_sha=$GITHUB_SHA \
-          ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
-      - name: Check images
-        run: |
-          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
-      - name: Verifiy image signature
-        run: |
-          cosign verify -key ./.cosign/cosign.pub \
-          ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
       - name: Publish Helm charts
         uses: stefanprodan/helm-gh-pages@v1.6.0
         with:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -15,3 +15,16 @@ sboms:
     artifacts: source
     documents:
       - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true