[Merged by Bors] - Update templated files to rev ec01d15

.github/workflows/build.yml

@@ -282,6 +282,8 @@ jobs:
  - tests_passed
  - select_helm_repo
  runs-on: ubuntu-latest
+ permissions:
+ id-token: write
  env:
  NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
  HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }}
@@ -312,6 +314,8 @@ jobs:
  # Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
  # default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
  # This is needed for the HELM_REPO variable.
+ - name: Set up Cosign
+ uses: sigstore/cosign-installer@v3.0.5
  - name: Publish Docker image and Helm chart
  run: make -e publish
  # Output the name of the published image to the Job output for later use

Makefile

@@ -30,7 +30,16 @@ docker-build:
 
 docker-publish:
  echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}"
- docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}"
+ DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\
+ # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
+ REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
+ if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
+ echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\
+ exit 1;\
+ fi;\
+ # This generates a signature and publishes it to the registry, next to the image\
+ # Uses the keyless signing flow with Github Actions as identity provider\
+ cosign sign -y ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE
 
 # TODO remove if not used/needed
 docker: docker-build docker-publish