WIP sign images after build

3lvia · Jan 8, 2025 · 8366801 · 8366801
1 parent 0a7a617
commit 8366801
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -219,9 +219,7 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(needs.prepare-jobs.outputs.matrix-build) }}
     concurrency:
-      group: |
-        ${{ github.workflow }}-${{ github.event_name }}-${{ matrix.runner }}-${{ matrix.application-name }}-${{ matrix.project-file }}-${{ matrix.registry }}
-      cancel-in-progress: true
+      group: '${{ matrix.application-name }}-${{ matrix.registry }}'
     runs-on: ${{ matrix.runner }}
     permissions:
       actions: read

diff --git a/build/action.yml b/build/action.yml
@@ -105,6 +105,9 @@ outputs:
   image-name:
     description: 'Name of the Docker image that was built, with tag.'
     value: ${{ steps.get-outputs.outputs.image-name }}
+  image-digest:
+    description: 'Name of the Docker image that was built, with digest.'
+    value: ${{ steps.get-outputs.outputs.image-name }}
 
 runs:
   using: 'composite'
@@ -163,6 +166,10 @@ runs:
       with:
         version: '0.27.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
+    - name: Install Cosign if not using Elvia runner # TODO: install on Elvia runner
+      # if: ${{ !startsWith(runner.name, 'elvia-runner-') }}
+      uses: sigstore/cosign-installer@v3
+
     - name: Handle deprecated inputs
       shell: bash
       run: |
@@ -206,7 +213,27 @@ runs:
       shell: bash
       id: get-outputs
       run: |
-        echo "image-name=$(cat /tmp/3lv-cli-output/image-name)" >> "$GITHUB_OUTPUT"
+        IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name)
+
+        echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
+        echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT"
+
+    - name: Sign image with Cosign using GitHub OIDC token
+      shell: bash
+      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_DIGEST"
+      env:
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
+
+    - name: Verify image signatue
+      shell: bash
+      run: |
+        cosign verify \
+          --certificate-identity "$CERTIFICATE_IDENTITY" \
+          --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+          "$IMAGE_DIGEST" | jq
+      env:
+        CERTIFICATE_IDENTITY: 'https://github.com/${{ github.workflow_ref }}'
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
 
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}