From f055ebd0212424b0c5916e623d2e9dfd43f66d36 Mon Sep 17 00:00:00 2001 From: irongut Date: Sun, 24 Jul 2022 22:16:13 +0100 Subject: [PATCH 1/2] sign Docker image on release #32 --- .github/workflows/release-build.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index dae8b11..5251474 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -48,6 +48,8 @@ jobs: permissions: contents: read packages: write + id-token: write # Used for identity challenge with sigstore/fulcio + steps: - name: Harden Runner @@ -58,6 +60,14 @@ jobs: - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf + - name: Install Cosign + uses: sigstore/cosign-installer@c68f43abf1ae5df2528c9c250088fa14ed2d0ef5 + with: + cosign-release: 'v1.9.0' + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 + - name: Login to GitHub Container Registry uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 with: @@ -72,9 +82,18 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build + Push Docker image + id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the Docker image digest + # Uses the identity token to provision an ephemeral certificate against the community Fulcio instance + # https://github.com/sigstore/cosign + - name: Sign the Docker image + env: + COSIGN_EXPERIMENTAL: "true" + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} From 9d67d209d5bbf8a426f787d0763cf0ee54f29156 Mon Sep 17 00:00:00 2001 From: irongut Date: Sun, 24 Jul 2022 22:27:52 +0100 Subject: [PATCH 2/2] remove workflow permissions from assign PR to author --- .github/workflows/auto-assign-pr.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml index b923fd6..c3b5483 100644 --- a/.github/workflows/auto-assign-pr.yml +++ b/.github/workflows/auto-assign-pr.yml @@ -7,13 +7,8 @@ on: pull_request: types: [opened] -permissions: - contents: read - jobs: assignAuthor: - permissions: - issues: write # for samspills/assign-pr-to-author runs-on: ubuntu-latest steps: