Sign releases and main branch parca images with cosign (opensearch-pr…

…oject#402) * Sign releases and main branch parca images with cosign Signed-off-by: Kemal Akkoyun <kakkoyun@gmail.com> * Address issues Signed-off-by: Kemal Akkoyun <kakkoyun@gmail.com>
joshuali925 · May 14, 2022 · 1a57423 · 1a57423
1 parent a211417
commit 1a57423
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -10,6 +10,10 @@ jobs:
   build:
     name: Container build and push
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
@@ -27,6 +31,10 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y qemu-user-static
 
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@v2.3.0
+
       - name: Build container
         run: make container
 
@@ -38,6 +46,9 @@ jobs:
 
       - name: Push container
         if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: true
         run: |
           make push-container
-          make push-quay-container
+          make sign-container
+          make push-signed-quay-container
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -100,7 +100,14 @@ jobs:
   container:
     name: Container build and release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
     steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.3.0
+
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
 
@@ -123,3 +130,9 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         run: |
           make push-container
+      
+      - name: Sign container
+        env:
+          COSIGN_EXPERIMENTAL: true
+        run: |
+          make sign-container
diff --git a/Makefile b/Makefile
@@ -223,10 +223,18 @@ check_%:
 container:
 	./make-containers.sh $(OUT_DOCKER):$(VERSION)
 
+.PHONY: sign-container
+sign-container:
+	cosign sign --force -a GIT_HASH=$(COMMIT) -a GIT_VERSION=$(VERSION) $(OUT_DOCKER)@$(shell podman inspect $(OUT_DOCKER):$(VERSION) --format "{{ .Digest }}")
+
 .PHONY: push-container
 push-container:
 	podman manifest push --all $(OUT_DOCKER):$(VERSION) docker://$(OUT_DOCKER):$(VERSION)
 
+.PHONY: push-signed-quay-container
+push-signed-quay-container:
+	cosign copy $(OUT_DOCKER):$(VERSION) quay.io/parca/parca:$(VERSION)
+
 .PHONY: push-quay-container
 push-quay-container:
 	podman manifest push --all $(OUT_DOCKER):$(VERSION) docker://quay.io/parca/parca-agent:$(VERSION)