Skip to content

Commit fb54916

Browse files
marquizmarquiz
committed
ci: enable image signing
Image signatures can be verified with cosign. An example for the rolling unstable image for the template plugin: cosign verify ghcr.io/containerd/nri/plugins/template:unstable \ --certificate-identity-regexp "https://github.com/containerd/nri/.*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | jq . Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
1 parent 2f815c1 commit fb54916

File tree

1 file changed

+18
-3
lines changed

1 file changed

+18
-3
lines changed

.github/workflows/images.yml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,14 @@ concurrency:
1414

1515
permissions:
1616
contents: read
17-
packages: write
1817

1918
jobs:
2019
build-and-push:
2120
name: Build and Push (${{ matrix.image }})
2221
runs-on: ubuntu-latest
22+
permissions:
23+
packages: write
24+
id-token: write
2325
strategy:
2426
matrix:
2527
image: [
@@ -38,6 +40,12 @@ jobs:
3840
- name: Checkout code
3941
uses: actions/checkout@v4
4042

43+
- name: Install cosign
44+
if: github.event_name != 'pull_request'
45+
uses: sigstore/cosign-installer@v3
46+
with:
47+
cosign-release: 'v2.5.3'
48+
4149
- name: Set up Docker Buildx
4250
uses: docker/setup-buildx-action@v3
4351

@@ -69,9 +77,10 @@ jobs:
6977
echo "ERROR: failed to determine image tag"
7078
exit 1
7179
fi
72-
echo "TAG_NAME=$tag" >> $GITHUB_ENV
80+
echo "TAG=ghcr.io/${{ github.repository }}/plugins/${{ matrix.image }}:$tag" >> $GITHUB_ENV
7381
7482
- name: Build and push image
83+
id: build-and-push
7584
uses: docker/build-push-action@v6
7685
with:
7786
context: .
@@ -80,4 +89,10 @@ jobs:
8089
PLUGIN=${{ matrix.image }}
8190
push: ${{ github.event_name == 'push' }}
8291
platforms: ${{ github.event_name == 'push' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
83-
tags: ghcr.io/${{ github.repository }}/plugins/${{ matrix.image }}:${{ env.TAG_NAME }}
92+
tags: ${{ env.TAG }}
93+
94+
- name: Sign image
95+
if: ${{ github.event_name != 'pull_request' }}
96+
env:
97+
DIGEST: ${{ steps.build-and-push.outputs.digest }}
98+
run: cosign sign --yes ${{ env.TAG }}@${DIGEST}

0 commit comments

Comments
 (0)