diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 000201b70..fe5452d1f 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -30,7 +30,6 @@ env: TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} - DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" @@ -172,7 +171,6 @@ jobs: contents: read id-token: write packages: write - attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -270,6 +268,16 @@ jobs: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + - name: Set up QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: @@ -302,7 +310,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -379,14 +387,25 @@ jobs: cache-from: ${{ steps.cache_data.outputs.cache_from }} cache-to: ${{ steps.cache_data.outputs.cache_to }} - - name: Attest images + - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - id: attest - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }} - subject-digest: ${{ steps.docker_build.outputs.digest }} - push-to-registry: true + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" - name: Image metadata env: @@ -422,7 +441,6 @@ jobs: contents: read id-token: write packages: write - attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -460,6 +478,16 @@ jobs: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + - name: Set up QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: @@ -492,7 +520,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -525,20 +553,24 @@ jobs: echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT - - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} attestation + - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - REPOSITORY: ${{ github.repository }} - DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} run: | echo "::group::Image sign data" + echo "OIDC issuer=$OIDC_ISSUER" + echo "Identity=$IDENTITY_REGEX" echo "Image to verify=$BASE_IMAGE" echo "::endgroup::" echo "::group::Verify signature" - gh attestation verify oci://$DOCKER_REGISTRY/$BASE_IMAGE -R $REPOSITORY + cosign verify \ + --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ + --certificate-identity-regexp "$IDENTITY_REGEX" \ + "$BASE_IMAGE" echo "::endgroup::" - name: Prepare cache data @@ -607,14 +639,25 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - - name: Attest images + - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - id: attest - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} - subject-digest: ${{ steps.docker_build.outputs.digest }} - push-to-registry: true + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" - name: Image metadata env: @@ -651,7 +694,6 @@ jobs: contents: read id-token: write packages: write - attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -781,6 +823,22 @@ jobs: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + image: tonistiigi/binfmt:latest + platforms: all + - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: @@ -836,7 +894,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -871,6 +929,26 @@ jobs: echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT + - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign + if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }} + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=${OIDC_ISSUER}" + echo "Identity=${IDENTITY_REGEX}" + echo "Image to verify=${BASE_IMAGE}" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ + --certificate-identity-regexp "${IDENTITY_REGEX}" \ + "${BASE_IMAGE}" + echo "::endgroup::" + - name: Prepare cache data if: ${{ matrix.build != 'snmptraps' }} id: cache_data @@ -915,14 +993,25 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - - name: Attest images + - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - id: attest - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} - subject-digest: ${{ steps.docker_build.outputs.digest }} - push-to-registry: true + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" - name: Image metadata if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}