feat(slsa/image-sign): Keyless image signing using Cosign

filter uniq registry and sign using digest Always recursively sign manifest digests if present
Scimia · Oct 12, 2023 · 64f9f38 · 64f9f38
1 parent c03e30a
commit 64f9f38
Show file tree

Hide file tree

Showing 4 changed files with 733 additions and 0 deletions.
diff --git a/.github/workflows/docker-image-sign.yml b/.github/workflows/docker-image-sign.yml
@@ -0,0 +1,90 @@
+name: Docker Sign Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-sign-docker-image:
+
+    permissions:
+      contents: read
+      packages: write # needed to upload to packages to registry
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+    name: Test Sign Docker Image
+    runs-on: ubuntu-22.04
+    env:
+      PRERELEASE_IMAGE: kongcloud/security-test-repo-pub:ubuntu_23_10 #particular reason for the choice of image: test multi arch image
+      TAGS: kongcloud/security-test-repo-pub:ubuntu_23_10,kongcloud/security-test-repo:ubuntu_23_10
+    steps:
+
+    - uses: actions/checkout@v3
+
+    - name: Install regctl
+      uses: regclient/actions/regctl-installer@main
+
+    - name: Parse Image Manifest Digest
+      id: image_manifest_metadata
+      run: |
+        manifest_list_exists="$(
+          if regctl manifest get "${PRERELEASE_IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
+            echo true
+          else
+            echo false
+          fi
+        )"
+        echo "manifest_list_exists=$manifest_list_exists"
+        echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
+
+        manifest_sha="$(regctl image digest "${PRERELEASE_IMAGE}")"
+
+        echo "manifest_sha=$manifest_sha"
+        echo "manifest_sha=$manifest_sha" >> $GITHUB_OUTPUT
+
+    - name: Sign Image digest
+      id: sign_image
+      if: steps.image_manifest_metadata.outputs.manifest_sha != ''
+      uses: ./security-actions/sign-docker-image
+      with:
+        cosign_output_prefix: ubuntu-23-10
+        signature_registry: kongcloud/security-test-repo-sig-pub
+        tags: ${{ env.TAGS }} 
+        image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
+        rekor_transparency: true
+        local_save_cosign_assets: true
+        registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
+        registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
+
+    - name: Push Images
+      env:
+        RELEASE_TAG: kongcloud/security-test-repo:v1
+      run: |
+        docker pull ${PRERELEASE_IMAGE}
+        for tag in $RELEASE_TAG; do
+          regctl -v debug image copy ${PRERELEASE_IMAGE} $tag
+        done
+    
+    - name: Sign Image digest
+      id: sign_image_v1
+      if: steps.image_manifest_metadata.outputs.manifest_sha != ''
+      uses: ./security-actions/sign-docker-image
+      env:
+        RELEASE_TAG: kongcloud/security-test-repo:v1
+      with:
+        cosign_output_prefix: v1
+        signature_registry: kongcloud/security-test-repo-sig-pub
+        tags: ${{ env.RELEASE_TAG }} 
+        image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
+        rekor_transparency: true
+        local_save_cosign_assets: true
+        registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
+        registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}