Build and Sign Docker Images #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Sign Docker Images | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| build-unsigned: | |
| name: Build and Push Unsigned Image | |
| runs-on: ubuntu-24.04 | |
| # if: ${{ github.event.inputs.job == 'build-unsigned' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Authenticate to GHCR | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Metadata for Unsigned Image | |
| id: docker_meta_unsigned | |
| uses: docker/[email protected] | |
| with: | |
| images: ghcr.io/shivaswaroop40/containerimages/my-unsigned-image | |
| tags: type=sha,format=short | |
| - name: Build and Push Unsigned Image | |
| uses: docker/[email protected] | |
| with: | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker_meta_unsigned.outputs.tags }} | |
| outputs: type=oci,dest=/tmp/output-unsigned.tar | |
| build-signed: | |
| name: Build and Push Signed Image | |
| runs-on: ubuntu-24.04 | |
| # if: ${{ github.event.inputs.job == 'build-signed' }} | |
| outputs: | |
| tags: ${{ steps.build-and-push.tags }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Authenticate to GHCR | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Metadata for Signed Image | |
| id: docker_meta_signed | |
| uses: docker/[email protected] | |
| with: | |
| images: ghcr.io/shivaswaroop40/containerimages/my-signed-image | |
| tags: type=sha,format=short | |
| - name: Build and Push Signed Image | |
| uses: docker/[email protected] | |
| id: build-and-push | |
| with: | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker_meta_signed.outputs.tags }} | |
| outputs: type=oci,dest=/tmp/output-signed.tar | |
| - name: Scan image in a private registry | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: '${{ steps.docker_meta_signed.outputs.tags }}' | |
| scan-type: image | |
| format: 'github' | |
| output: 'dependency-results.sbom.json' | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT | |
| severity: "MEDIUM,HIGH,CRITICAL" | |
| scanners: "vuln" | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload trivy report as a Github artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-sbom-report | |
| path: '${{ github.workspace }}/dependency-results.sbom.json' | |
| retention-days: 20 # 90 is the default | |
| - name: Set Output for Image Tag | |
| run: echo "image_tag=${{ steps.docker_meta_signed.outputs.tags }}" >> $GITHUB_ENV | |
| id: set-output | |
| - name: Sign and Verify the Image | |
| run: | | |
| echo "Signing the image..." | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ steps.docker_meta_signed.outputs.tags }} | |
| echo "Verifying the signature..." | |
| cosign verify --key env://COSIGN_PUBLIC_KEY ${{ steps.docker_meta_signed.outputs.tags }} | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} |