From 08ee3025d7c4f320e4143a5de480513bb9ede259 Mon Sep 17 00:00:00 2001 From: Rafael David Tinoco Date: Wed, 25 Oct 2023 16:32:18 -0300 Subject: [PATCH] chore(build): cosign images and the manifest as well --- .github/workflows/release-snapshot.yaml | 27 +++++++++++++++++++++++++ .github/workflows/release.yaml | 14 ++++++++++--- builder/Makefile.release | 1 - 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml index 7fe236ddd8ad..6fe37d68aad5 100644 --- a/.github/workflows/release-snapshot.yaml +++ b/.github/workflows/release-snapshot.yaml @@ -25,6 +25,10 @@ jobs: with: submodules: true fetch-depth: 0 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v2.0.2' - name: Login to docker.io registry uses: docker/login-action@v2 with: @@ -43,8 +47,14 @@ jobs: run: | docker image tag tracee:latest aquasec/tracee:x86_64-dev docker image push aquasec/tracee:x86_64-dev + shell: bash + - name: Sign Docker image + run: | + cosign sign -y $(docker inspect --format='{{index .RepoDigests 0}}' aquasec/tracee:x86_64-dev) + shell: bash release-snapshot-aarch64: name: Release Snapshot (aarch64) + needs: [ release-snapshot-x86_64 ] runs-on: [ "github-self-hosted_ami-03217ce7c37572c4d_${{ github.event.number }}-${{ github.run_id }}" ] permissions: contents: read @@ -56,6 +66,10 @@ jobs: with: submodules: true fetch-depth: 0 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v2.0.2' - name: Login to docker.io registry uses: docker/login-action@v2 with: @@ -74,6 +88,11 @@ jobs: run: | docker image tag tracee:latest aquasec/tracee:aarch64-dev docker image push aquasec/tracee:aarch64-dev + shell: bash + - name: Sign Docker image + run: | + cosign sign -y $(docker inspect --format='{{index .RepoDigests 0}}' aquasec/tracee:aarch64-dev) + shell: bash release-snapshot: name: Release Snapshot needs: [release-snapshot-x86_64, release-snapshot-aarch64] @@ -88,6 +107,10 @@ jobs: with: submodules: true fetch-depth: 0 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v2.0.2' - name: Login to docker.io registry uses: docker/login-action@v2 with: @@ -101,3 +124,7 @@ jobs: aquasec/tracee:aarch64-dev docker manifest push aquasec/tracee:dev shell: bash + - name: Sign Docker image + run: | + cosign sign -y aquasec/tracee:dev + shell: bash diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 86ca98e6e894..188c3d5fd0aa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -55,9 +55,7 @@ jobs: name: Release (aarch64) env: GH_TOKEN: ${{ github.token }} - # only runs after x64 released - needs: - - release-x86_64 + needs: [ release-x86_64 ] runs-on: [ "github-self-hosted_ami-03217ce7c37572c4d_${{ github.event.number }}-${{ github.run_id }}" ] permissions: contents: write @@ -111,6 +109,10 @@ jobs: ref: ${{ github.event.inputs.ref }} submodules: true fetch-depth: 0 + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v2.0.2' - name: Login to docker.io registry uses: docker/login-action@v2 with: @@ -129,3 +131,9 @@ jobs: docker manifest push aquasec/tracee:latest docker manifest push aquasec/tracee:${TAG} shell: bash + - name: Sign the latest manifest with Cosign + run: | + TAG=$(echo ${{ github.event.inputs.ref }} | sed -e "s/v//gI") + cosign sign -y aquasec/tracee:latest + cosign sign -y aquasec/tracee:${TAG} + shell: bash diff --git a/builder/Makefile.release b/builder/Makefile.release index 3d7cf14e6bea..46f5aea4a0d5 100644 --- a/builder/Makefile.release +++ b/builder/Makefile.release @@ -19,7 +19,6 @@ MAKEFLAGS += --no-print-directory # CMD_CHECKSUM ?= sha256sum -CMD_COSIGN ?= cosign CMD_DOCKER ?= docker CMD_GIT ?= git CMD_GITHUB ?= gh