feat(cd): sign released container images and Helm chart

Signed-off-by: hainenber <dotronghai96@gmail.com>
microsoft · Mar 27, 2024 · 0195776 · 0195776
1 parent c51bb00
commit 0195776
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 1 deletion.
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -40,6 +40,10 @@ jobs:
         uses: actions/setup-go@v4
         with:
           go-version: ">=1.21.0"
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.4.0
+      - name: Write signing key to disk (only needed for `cosign sign --key`)
+        run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
       - name: Run GoReleaser release
         uses: goreleaser/goreleaser-action@v5
         with:
@@ -48,3 +52,12 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Sign container image
+        run: |
+          export TAG=(make version)
+          cosign sign --key cosign.key \
+            ghcr.io/${{ github.repository }}/kubectl-retina:$TAG \
+            ghcr.io/${{ github.repository }}/kubectl-retina:$TAG-linux-amd64 \
+            ghcr.io/${{ github.repository }}/kubectl-retina:$TAG-linux-arm64
+        env:
+          COSIGN_PASSWORD: "" 
diff --git a/.github/workflows/release-charts.yaml b/.github/workflows/release-charts.yaml
@@ -23,11 +23,24 @@ jobs:
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u $ --password-stdin
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.HELM_CHART_SIGNING_GPG_PRIVATE_KEY }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
 
-      - name: Build/Push Chart
+      - name: Export GPG key to legacy format
+        run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg
+
+      - name: Build, Sign and Push Chart
         shell: bash
         run: |
           set -euo pipefail
           export TAG=$(make version)
+          gpg --allow-secret-key-export --export-secret-key "${{ steps.import_gpg.outputs.keyid }}" --output ~/.gnupg/secring.gpg
+          helm package --sign --key "${{ steps.import_gpg.outputs.name }}" --keyring ~/.gnupg/secring.gpg  ./deploy/manifests/controller/helm/retina
           helm package ./deploy/manifests/controller/helm/retina --version $TAG
           helm push retina-*.tgz oci://ghcr.io/${{ github.repository }}/charts
diff --git a/.github/workflows/release-images.yaml b/.github/workflows/release-images.yaml
@@ -27,6 +27,12 @@ jobs:
         with:
           go-version: ">=1.21.0"
       - run: go version
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.4.0
+
+      - name: Write signing key to disk (only needed for `cosign sign --key`)
+        run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -43,6 +49,16 @@ jobs:
             IMAGE_NAMESPACE=${{ github.repository }} \
             PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
             BUILDX_ACTION=--push
+      
+      - name: Sign container image
+        run: |
+          cosign sign --key cosign.key \
+            ghcr.io/${{ github.repository }}/retina-agent:$TAG \
+            ghcr.io/${{ github.repository }}/retina-agent:$TAG-${{ matrix.platform }}-${{ matrix.arch }} \
+            ghcr.io/${{ github.repository }}/retina-init:$TAG \
+            ghcr.io/${{ github.repository }}/retina-init:$TAG-${{ matrix.platform }}-${{ matrix.arch }}
+        env:
+          COSIGN_PASSWORD: ""
 
   retina-win-images:
     name: Build Agent Windows Images
@@ -62,6 +78,12 @@ jobs:
           go-version: ">=1.21.0"
       - run: go version
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.4.0
+
+      - name: Write signing key to disk (only needed for `cosign sign --key`)
+        run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -78,6 +100,16 @@ jobs:
             PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
             BUILDX_ACTION=--push
 
+      - name: Sign container image
+        run: |
+          cosign sign --key cosign.key \
+            ghcr.io/${{ github.repository }}/retina-agent:$TAG-windows-ltsc2019-${{ matrix.arch }} \
+            ghcr.io/${{ github.repository }}/retina-init:$TAG-windows-ltsc2019-${{ matrix.arch }} \
+            ghcr.io/${{ github.repository }}/retina-agent:$TAG-windows-ltsc2022-${{ matrix.arch }} \
+            ghcr.io/${{ github.repository }}/retina-init:$TAG-windows-ltsc2022-${{ matrix.arch }}
+        env:
+          COSIGN_PASSWORD: ""
+
   operator-images:
     name: Build Operator Images
     runs-on: ubuntu-latest
@@ -95,6 +127,12 @@ jobs:
         with:
           go-version: ">=1.21.0"
       - run: go version
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.4.0
+
+      - name: Write signing key to disk (only needed for `cosign sign --key`)
+        run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -111,6 +149,14 @@ jobs:
             IMAGE_NAMESPACE=${{ github.repository }} \
             PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
             BUILDX_ACTION=--push
+          
+      - name: Sign container image
+        run: |
+          cosign sign --key cosign.key \
+            ghcr.io/${{ github.repository }}/retina-operator:$TAG \
+            ghcr.io/${{ github.repository }}/retina-operator:$TAG-${{ matrix.platform }}-${{ matrix.arch }}
+        env:
+          COSIGN_PASSWORD: ""
 
   manifests:
     name: Generate Manifests