Build and Sign Docker Images #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Sign Docker Images | |
| on: | |
| workflow_dispatch: | |
| # inputs: | |
| # job: | |
| # description: "Select which job to run" | |
| # required: true | |
| # type: choice | |
| # options: | |
| # - build-unsigned | |
| # - build-signed | |
| # - minikube-install | |
| jobs: | |
| build-unsigned: | |
| name: Build and Push Unsigned Image | |
| runs-on: ubuntu-latest | |
| # if: ${{ github.event.inputs.job == 'build-unsigned' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Authenticate to GHCR | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Metadata for Unsigned Image | |
| id: docker_meta_unsigned | |
| uses: docker/[email protected] | |
| with: | |
| images: ghcr.io/shivaswaroop40/containerimages/my-unsigned-image | |
| tags: type=sha,format=short | |
| - name: Build and Push Unsigned Image | |
| uses: docker/[email protected] | |
| with: | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker_meta_unsigned.outputs.tags }} | |
| outputs: type=oci,dest=/tmp/output-unsigned.tar | |
| build-signed: | |
| name: Build and Push Signed Image | |
| runs-on: ubuntu-latest | |
| # if: ${{ github.event.inputs.job == 'build-signed' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Authenticate to GHCR | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Metadata for Signed Image | |
| id: docker_meta_signed | |
| uses: docker/[email protected] | |
| with: | |
| images: ghcr.io/shivaswaroop40/containerimages/my-signed-image | |
| tags: type=sha,format=short | |
| - name: Build and Push Signed Image | |
| uses: docker/[email protected] | |
| id: build-and-push | |
| with: | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker_meta_signed.outputs.tags }} | |
| outputs: type=oci,dest=/tmp/output-signed.tar | |
| - name: Set Output for Image Tag | |
| run: echo "image_tag=${{ steps.docker_meta_signed.outputs.tags }}" >> $GITHUB_ENV | |
| id: set-output | |
| - name: Sign and Verify the Image | |
| run: | | |
| echo "Signing the image..." | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ steps.docker_meta_signed.outputs.tags }} | |
| echo "Verifying the signature..." | |
| cosign verify --key env://COSIGN_PUBLIC_KEY ${{ steps.docker_meta_signed.outputs.tags }} | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} | |
| # generate-sbomd: | |
| # name: Generate SBOM for the artifact | |
| # runs-on: ubuntu-latest | |
| # needs: build-signed | |
| # permissions: | |
| # contents: read | |
| # packages: write | |
| # steps: | |
| # - name: Generate SBOM | |
| # uses: anchore/sbom-action@v0 | |
| # with: | |
| # image: ${{ needs.build-signed.outputs.image_tag }} | |
| # registry-username: shivaswaroop40 | |
| # registry-password: ${{ secrets.REGISTRY_PASSWORD }} | |
| # - name: Upload SBOM | |
| # uses: anchore/sbom-action/publish-sbom@v0 | |
| # with: | |
| # sbom-artifact-match: ".*\\.spdx$" |