Update permissions and add Cosign installer

sredevopsorg · Mar 15, 2024 · 7122acf · 7122acf
1 parent 0313c61
commit 7122acf
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/.github/workflows/build-custom-image.yaml b/.github/workflows/build-custom-image.yaml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write
+      contents: read
       packages: write
       id-token: write # needed for signing the images with GitHub OIDC Token
 
@@ -36,6 +36,10 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Install Cosign
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: sigstore/cosign-installer@v3.4.0
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -85,7 +89,6 @@ jobs:
             type=ref,event=branch,ref=main
           labels: |
             org.opencontainers.image.title=ghost-on-kubernetes
-            org.opencontainers.image.description=Deploy a full Ghost CMS v5 (latest release from @TryGhost), distroless for any Kubernetes (k3s, GKE, AKS, etc) production-ready, using our custom image with enhanced specs.
             org.opencontainers.image.vendor=https://sredevops.org
             org.opencontainers.image.source=https://github.com/sredevopsorg/ghost-on-kubernetes
             org.opencontainers.image.documentation=https://github.com/sredevopsorg/ghost-on-kubernetes/blob/main/README.md
@@ -132,6 +135,19 @@ jobs:
           build-args: |
             GHOST_VERSION=${{ steps.versions.outputs.GHOST_VERSION }} 
 
+      - name: Sign image with a key
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
 
       -
         name: Build pull request

diff --git a/Dockerfile b/Dockerfile
@@ -37,6 +37,7 @@ USER root
 
 # Move the original content directory to a backup location, create a new content directory, set the correct ownership and permissions, and switch back to the "node" user
 RUN mv -v $GHOST_CONTENT $GHOST_CONTENT_ORIGINAL && \
+  rm -rfv $GHOST_CONTENT_ORIGINAL && \
   mkdir -pv $GHOST_CONTENT && \
   chown -R node:node $GHOST_INSTALL && \
   chmod 1777 $GHOST_CONTENT