diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 302160b..da4de38 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,7 @@ jobs: contents: read packages: write # This is used to complete the identity challenge - # with sigstore/fulcio + # with sigstore/fulcio id-token: write steps: @@ -29,63 +29,65 @@ jobs: # Install the cosign tool # https://github.com/sigstore/cosign-installer - name: Install cosign - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - with: - cosign-release: 'v1.13.1' - + uses: sigstore/cosign-installer@v3.1.2 - # Workaround: https://github.com/docker/build-push-action/issues/461 + # https://github.com/docker/setup-buildx-action - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + uses: docker/setup-buildx-action@v3 # https://github.com/docker/login-action - name: Login to GHCR - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Pushing to docker hub is disabled until repo is prepared - # https://github.com/docker/login-action - # - name: Login to docker hub - # uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - # with: - # registry: docker.io - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Login to docker hub + uses: docker/login-action@v1 + with: + registry: docker.io + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v5 with: images: | ghcr.io/${{ env.IMAGE_NAME }} - # ${{ env.IMAGE_NAME }} + ${{ env.IMAGE_NAME }} # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@v5 with: context: . + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64,linux/armhf cache-from: type=gha cache-to: type=gha,mode=max - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - env: - COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} \ No newline at end of file + run: > + echo "${{ steps.meta.outputs.tags }}" | xargs -I {} + cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} + + - name: Verify the signature of the published Docker image + env: + IDENTITY: "https://github.com/containrrr/shepherd/.github/workflows/release.yml@.*" + OIDC_ISSUER: https://token.actions.githubusercontent.com + run: > + echo "${{ steps.meta.outputs.tags }}" | xargs -I {} + cosign verify {}@${{ steps.build-and-push.outputs.digest }} + --certificate-identity-regexp=$IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER