Skip to content

Commit 437972e

Browse files
gaius-qigaius-qi
committed
chore: signed release for containerd
Signed-off-by: Gaius <gaius.qi@gmail.com>
1 parent 759a70e commit 437972e

File tree

1 file changed

+36
-1
lines changed

1 file changed

+36
-1
lines changed

.github/workflows/docker.yml

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,9 @@ jobs:
6464
restore-keys: |
6565
${{ runner.os }}-buildx-
6666
67+
- name: Install Cosign
68+
uses: sigstore/cosign-installer@v3
69+
6770
- name: Login Docker Hub
6871
uses: docker/login-action@v3.3.0
6972
with:
@@ -76,7 +79,10 @@ jobs:
7679
with:
7780
registry: ghcr.io
7881
username: ${{ github.repository_owner }}
79-
password: ${{ secrets.GITHUB_TOKEN }}
82+
83+
- name: Verify base image
84+
run: |
85+
cosign dockerfile verify --base-image-only --key https://github.com/GoogleContainerTools/distroless build/images/${{ matrix.module }}/Dockerfile
8086
8187
- name: Push to Registry
8288
uses: docker/build-push-action@v6.7.0
@@ -85,8 +91,12 @@ jobs:
8591
platforms: ${{ matrix.platforms }}
8692
file: build/images/${{ matrix.module }}/Dockerfile
8793
labels: |-
94+
org.opencontainers.image.title=${{ github.event.repository.name }}
95+
org.opencontainers.image.description=${{ github.event.repository.description }}
96+
org.opencontainers.image.url=${{ github.event.repository.html_url }}
8897
org.opencontainers.image.source=https://github.com/${{ github.repository }}
8998
org.opencontainers.image.revision=${{ github.sha }}
99+
org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
90100
build-args: |
91101
GITVERSION=git-${{ steps.vars.outputs.git_revision }}
92102
VERSION=${{ steps.get_version.outputs.VERSION }}
@@ -97,6 +107,31 @@ jobs:
97107
cache-from: type=local,src=/tmp/.buildx-cache
98108
cache-to: type=local,dest=/tmp/.buildx-cache-new
99109

110+
- name: Sign container image
111+
run: |
112+
cosign sign --key env://COSIGN_KEY dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
113+
cosign sign --key env://COSIGN_KEY ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
114+
env:
115+
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
116+
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
117+
118+
- name: Check images
119+
run: |
120+
docker buildx imagetools inspect dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
121+
docker pull dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
122+
cosign verify --key cosign.pub dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
123+
docker buildx imagetools inspect ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
124+
docker pull ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
125+
cosign verify --key cosign.pub ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
126+
127+
- uses: anchore/sbom-action@v0
128+
with:
129+
image: dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
130+
131+
- uses: anchore/sbom-action@v0
132+
with:
133+
image: ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
134+
100135
- name: Move cache
101136
run: |
102137
rm -rf /tmp/.buildx-cache

0 commit comments

Comments
 (0)