Sign images by cosign

Signed-off-by: Lan Liang <gcslyp@gmail.com>
karmada-io · Apr 20, 2023 · 26a41f4 · 26a41f4
1 parent 2be4b33
commit 26a41f4
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
@@ -5,7 +5,10 @@ on:
       - master
 jobs:
   publish-image-to-dockerhub:
+
     name: publish to DockerHub
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     # prevent job running from forked repository, otherwise
     # 1. running on the forked repository would fail as missing necessary secret.
     # 2. running on the forked repository would use unnecessary GitHub Action time.
@@ -36,6 +39,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19.5
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
       - name: install QEMU
         uses: docker/setup-qemu-action@v2
       - name: install Buildx
@@ -47,6 +52,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: build and publish images
         env:
-          REGISTRY: karmada
+          REGISTRY: lypgcs
           VERSION: latest
+          COSIGN_EXPERIMENTAL: 1
         run: make mp-image-${{ matrix.target }}
diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     strategy:
       matrix:
         target:
@@ -32,6 +34,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19.5
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
       - name: install QEMU
         uses: docker/setup-qemu-action@v2
       - name: install Buildx
@@ -43,6 +47,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: build and publish images
         env:
-          REGISTRY: karmada
+          REGISTRY: lypgcs
           VERSION: ${{ github.ref_name }}
+          COSIGN_EXPERIMENTAL: 1
         run: make mp-image-${{ matrix.target }}
diff --git a/hack/docker.sh b/hack/docker.sh
@@ -66,6 +66,7 @@ function build_local_image() {
 
   if [[ "$output_type" == "registry" ]]; then
     docker push "${image_name}"
+    signImage ${image_name}
   fi
 }
 
@@ -85,9 +86,17 @@ function build_cross_image() {
           --tag "${image_name}" \
           --file "${REPO_ROOT}/cluster/images/buildx.Dockerfile" \
           "${REPO_ROOT}/_output/bin"
+  signImage ${image_name}
   set +x
 }
 
+function signImage(){
+  local -r target=$1
+  echo "signing image: "${target}
+
+cosign sign --yes ${target}
+}
+
 function isCross() {
   local platforms=$1