ci: sign images with cosign#2125
Conversation
vrutkovs
left a comment
There was a problem hiding this comment.
That looks useful, thank you
| TAG=config-reloader-$(TAG)-fips COMPONENT=config-reloader GODEBUG_BUILD_ARGS=fips140=only FIPS_BUILD_VERSION=$(FIPS_VERSION) ROOT=./cmd/config-reloader $(MAKE) docker-buildx | ||
|
|
||
| .PHONY: sign | ||
| sign: |
There was a problem hiding this comment.
I'd prefer an approach which installs cosign binary in case we run this locally:
| sign: | |
| COSIGN_VERSION ?= v3.0.6 | |
| COSIGN_BIN ?= $(LOCALBIN)/cosign-$(COSIGN_VERSION) | |
| .PHONY: cosign | |
| cosign: $(COSIGN_BIN) | |
| $(COSIGN_BIN): $(LOCALBIN) | |
| $(call download-github-release,$(COSIGN_BIN),sigstore/cosign,$(COSIGN_VERSION),cosign-$(OS)-$(ARCH),cosign-$(OS)-$(ARCH)) | |
| sign: cosign |
This also needs a renovate.json to keep the version updated:
{
"customType": "regex",
"managerFilePatterns": [
"/^Makefile$/"
],
"matchStrings": [
"COSIGN_VERSION \\?= (?<currentValue>v.*)"
],
"datasourceTemplate": "github-releases",
"depNameTemplate": "sigstore/cosign"
}There was a problem hiding this comment.
Sure I can do that! Just curious: when or why would you run this locally? This could break verification when expecting the gh action oidc issuer
There was a problem hiding this comment.
I'd prefer not to get tied to Github Actions (in case we swap CIs later) and use custom keypair instead. Also more cosign actions may be added later (i.e. verify).
Perhaps a makefile target could be used as an emergency fallback, so lets keep github actions too.
There was a problem hiding this comment.
Ok so I kept the github action and added the requested changes. It got a bit ugly, because I want to use the same cosign version for the github action. This could get flaky though, when the makefile variable gets changed. I could also specify the version directly and add it to the renovate regex manager.
What do you say?
There was a problem hiding this comment.
Yeah, that looks great! We'll be keeping an eye on this - if this method becomes too brittle we'll probably have to drop Makefile entry then.
Thank you!
Signed-off-by: kharf <kharf1@proton.me>
There was a problem hiding this comment.
1 issue found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="Makefile">
<violation number="1" location="Makefile:282">
P1: `sign` target's config-reloader image paths don't match `publish` output: `publish` pushes config-reloader images under the `operator` repo (missing `REPO=config-reloader`), but `sign` expects them under the `config-reloader` repo</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
Signed-off-by: Vadim Rutkovsky <roignac@gmail.com>
|
Thank you for your contribution! |
Summary by cubic
Sign container images with
cosignin the release workflow to enable verification and provenance. Uses GitHub OIDC for keyless signing and signs all published tags across registries.New Features
id-token: writein the release workflow for keyless signing.cosignviasigstore/cosign-installer(version read fromCOSIGN_VERSIONin theMakefile) and runmake signaftermake publish.signfor main,-ubi,-fips, andconfig-reloader(incl.-fips) across$(PUBLISH_REGISTRIES), andcosignto bootstrap the binary viaCOSIGN_BIN.COSIGNfrom PATH when available, falling back to the bootstrapped binary.Dependencies
sigstore/cosign-installer@v4.1.1; defaultCOSIGN_VERSIONisv3.0.6.COSIGN_VERSIONin theMakefile.Written for commit 1437fa0. Summary will update on new commits.