chore: sign container images and checksum assets (argoproj#2334)

Signed-off-by: Justin Marquis <[email protected]> Signed-off-by: toann <[email protected]>
itsme2980 · Nov 3, 2022 · 80f09c7 · 80f09c7
1 parent f606cb3
commit 80f09c7
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 1 deletion.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -94,4 +94,54 @@ jobs:
           target: kubectl-argo-rollouts
           platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.plugin-meta.outputs.tags }}
+          tags: ${{ steps.plugin-meta.outputs.tags }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/[email protected]
+
+      - name: Get digest of controller-image
+        run: |
+          if [[ "${{ github.ref == 'refs/heads/master' }}" ]]
+          then
+            echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:latest)" >> $GITHUB_ENV
+          fi
+          if [[ "${{ github.ref != 'refs/heads/master' }}" ]]
+          then
+            echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV
+          fi
+        if: github.event_name != 'pull_request'
+
+      - name: Get digest of plugin-image
+        run: |
+          if [[ "${{ github.ref == 'refs/heads/master' }}" ]]
+          then
+            echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:latest)" >> $GITHUB_ENV
+          fi
+          if [[ "${{ github.ref != 'refs/heads/master' }}" ]]
+          then
+            echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV
+          fi
+        if: github.event_name != 'pull_request'
+
+      - name: Sign Argo Rollouts Images
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }}
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ github.event_name == 'push' }}
+
+      - name: Display the public key to share.
+        run: |
+          # Displays the public key to share
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ github.event_name == 'push' }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -149,6 +149,40 @@ jobs:
 
           cd /tmp && tar -zcf sbom.tar.gz *.spdx
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/[email protected]
+
+      - name: Get digest of controller-image
+        run: |
+          echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV
+
+      - name: Get digest of plugin-image
+        run: |
+          echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV
+
+      - name: Sign Argo Rollouts Images
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }}
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+
+      - name: Sign checksums and create public key for release assets
+        run: |
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY dist/argo-rollouts-checksums.txt > dist/argo-rollouts-checksums.sig
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub
+          # Displays the public key to share.
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+
       - name: Draft release
         uses: softprops/action-gh-release@v1
         with:
@@ -161,6 +195,8 @@ jobs:
             dist/kubectl-argo-rollouts-darwin-arm64
             dist/kubectl-argo-rollouts-windows-amd64
             dist/argo-rollouts-checksums.txt
+            dist/argo-rollouts-checksums.sig
+            dist/argo-rollouts-cosign.pub
             manifests/dashboard-install.yaml
             manifests/install.yaml
             manifests/namespace-install.yaml