CORE 2217 add option to sign images

3lvia · Jan 17, 2025 · fedc6d8 · fedc6d8
1 parent 3d36170
commit fedc6d8
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -262,6 +262,7 @@ jobs:
           registry: ${{ matrix.registry }}
           trivy-upload-report: 'true'
           trivy-post-comment: 'true'
+          sign-image: 'true'
           AZURE_CLIENT_ID: ${{ vars.ACR_CLIENT_ID }}
 
   build-vulnerable-service:

diff --git a/build/action.yml b/build/action.yml
@@ -70,6 +70,10 @@ inputs:
       This action requires the permission `pull-requests: write` to be set for the job.
     required: false
     default: 'false'
+  sign-image:
+    description: 'If `true`, the action will sign the Docker image with Cosign. This will default to `true` in the near future.'
+    required: false
+    default: 'false'
   checkout:
     description: 'If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.'
     required: false
@@ -105,6 +109,9 @@ outputs:
   image-name:
     description: 'Name of the Docker image that was built, with tag.'
     value: ${{ steps.get-outputs.outputs.image-name }}
+  image-digest:
+    description: 'Name of the Docker image that was built, with digest.'
+    value: ${{ steps.get-outputs.outputs.image-name }}
 
 runs:
   using: 'composite'
@@ -163,6 +170,10 @@ runs:
       with:
         version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
+    - name: Install Cosign if not using Elvia runner
+      if: ${{ !startsWith(runner.name, 'elvia-runner-') && inputs.sign-image == 'true' }}
+      uses: sigstore/cosign-installer@v3
+
     - name: Handle deprecated inputs
       shell: bash
       run: |
@@ -206,7 +217,29 @@ runs:
       shell: bash
       id: get-outputs
       run: |
-        echo "image-name=$(cat /tmp/3lv-cli-output/image-name)" >> "$GITHUB_OUTPUT"
+        IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name)
+
+        echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
+        echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT"
+
+    - name: Sign image with Cosign using GitHub OIDC token
+      if: ${{ inputs.sign-image == 'true' }}
+      shell: bash
+      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_DIGEST"
+      env:
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
+
+    - name: Verify image signatue
+      if: ${{ inputs.sign-image == 'true' }}
+      shell: bash
+      run: |
+        cosign verify \
+          --certificate-identity "$CERTIFICATE_IDENTITY" \
+          --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+          "$IMAGE_DIGEST" | jq
+      env:
+        CERTIFICATE_IDENTITY: 'https://github.com/${{ github.workflow_ref }}'
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
 
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}