Skip to content

ci: sign images with cosign#2125

Merged
vrutkovs merged 2 commits into
VictoriaMetrics:masterfrom
kharf:sign-with-cosign
May 13, 2026
Merged

ci: sign images with cosign#2125
vrutkovs merged 2 commits into
VictoriaMetrics:masterfrom
kharf:sign-with-cosign

Conversation

@kharf

@kharf kharf commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Summary by cubic

Sign container images with cosign in the release workflow to enable verification and provenance. Uses GitHub OIDC for keyless signing and signs all published tags across registries.

  • New Features

    • Grant id-token: write in the release workflow for keyless signing.
    • Install cosign via sigstore/cosign-installer (version read from COSIGN_VERSION in the Makefile) and run make sign after make publish.
    • Add Makefile targets: sign for main, -ubi, -fips, and config-reloader (incl. -fips) across $(PUBLISH_REGISTRIES), and cosign to bootstrap the binary via COSIGN_BIN.
    • Resolve COSIGN from PATH when available, falling back to the bootstrapped binary.
  • Dependencies

    • Add sigstore/cosign-installer@v4.1.1; default COSIGN_VERSION is v3.0.6.
    • Teach Renovate to track COSIGN_VERSION in the Makefile.

Written for commit 1437fa0. Summary will update on new commits.

@vrutkovs vrutkovs left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks useful, thank you

Comment thread Makefile Outdated
TAG=config-reloader-$(TAG)-fips COMPONENT=config-reloader GODEBUG_BUILD_ARGS=fips140=only FIPS_BUILD_VERSION=$(FIPS_VERSION) ROOT=./cmd/config-reloader $(MAKE) docker-buildx

.PHONY: sign
sign:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer an approach which installs cosign binary in case we run this locally:

Suggested change
sign:
COSIGN_VERSION ?= v3.0.6
COSIGN_BIN ?= $(LOCALBIN)/cosign-$(COSIGN_VERSION)
.PHONY: cosign
cosign: $(COSIGN_BIN)
$(COSIGN_BIN): $(LOCALBIN)
$(call download-github-release,$(COSIGN_BIN),sigstore/cosign,$(COSIGN_VERSION),cosign-$(OS)-$(ARCH),cosign-$(OS)-$(ARCH))
sign: cosign

This also needs a renovate.json to keep the version updated:

    {
      "customType": "regex",
      "managerFilePatterns": [
        "/^Makefile$/"
      ],
      "matchStrings": [
        "COSIGN_VERSION \\?= (?<currentValue>v.*)"
      ],
      "datasourceTemplate": "github-releases",
      "depNameTemplate": "sigstore/cosign"
    }

@kharf kharf May 12, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I can do that! Just curious: when or why would you run this locally? This could break verification when expecting the gh action oidc issuer

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer not to get tied to Github Actions (in case we swap CIs later) and use custom keypair instead. Also more cosign actions may be added later (i.e. verify).

Perhaps a makefile target could be used as an emergency fallback, so lets keep github actions too.

@kharf kharf May 13, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok so I kept the github action and added the requested changes. It got a bit ugly, because I want to use the same cosign version for the github action. This could get flaky though, when the makefile variable gets changed. I could also specify the version directly and add it to the renovate regex manager.

What do you say?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that looks great! We'll be keeping an eye on this - if this method becomes too brittle we'll probably have to drop Makefile entry then.

Thank you!

@kharf kharf force-pushed the sign-with-cosign branch from c8a52c7 to ff59985 Compare May 13, 2026 07:23
Signed-off-by: kharf <kharf1@proton.me>
@kharf kharf force-pushed the sign-with-cosign branch from ff59985 to 12c1b7c Compare May 13, 2026 07:28
@vrutkovs vrutkovs marked this pull request as ready for review May 13, 2026 07:53
@vrutkovs vrutkovs requested a review from AndrewChubatiuk as a code owner May 13, 2026 07:53

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="Makefile">

<violation number="1" location="Makefile:282">
P1: `sign` target's config-reloader image paths don't match `publish` output: `publish` pushes config-reloader images under the `operator` repo (missing `REPO=config-reloader`), but `sign` expects them under the `config-reloader` repo</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread Makefile Outdated
Comment thread Makefile Outdated
Signed-off-by: Vadim Rutkovsky <roignac@gmail.com>
@vrutkovs

Copy link
Copy Markdown
Collaborator

Thank you for your contribution!

@vrutkovs vrutkovs merged commit c74191c into VictoriaMetrics:master May 13, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants