check dependencies signatures

crazy-max · crazy-max · commit 19ce39c87748 · 2026-01-13T17:49:26.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -138,7 +138,7 @@ on:
 
 env:
   BUILDX_VERSION: "v0.30.1"
-  BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
+  BUILDKIT_IMAGE: "moby/buildkit:master@sha256:84014da3581b2ff2c14cb4f60029cf9caa272b79e58f2e89c651ea6966d7a505" # TODO: pin to a specific version when signed gha cache feature is available
   SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
   BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56"
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.74.0"
@@ -162,6 +162,62 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Install Cosign
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
+        with:
+          script: |
+            const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
+            const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
+
+            const inpCosignVersion = core.getInput('cosign-version');
+
+            const cosignInstall = new Install();
+            const cosignBinPath = await cosignInstall.download({
+              version: core.getInput('cosign-version'),
+              ghaNoCache: true,
+              skipState: true,
+              verifySignature: true
+            });
+            const cosignPath = await cosignInstall.install(cosignBinPath);
+
+            const cosign = new Cosign();
+            await cosign.printVersion();
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          cache-binary: false
+          buildkitd-flags: --debug
+      -
+        name: Check dependencies signatures
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_IMAGES: |
+            ${{ env.BUILDKIT_IMAGE }}
+            ${{ env.SBOM_IMAGE }}
+            ${{ env.BINFMT_IMAGE }}
+        with:
+          script: |
+            const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
+
+            const sigstore = new Sigstore();
+            
+            for (const image of core.getMultilineInput('images')) {
+              await core.group(`Verifying ${image}`, async () => {
+                try {
+                  await sigstore.verifyImageAttestations(image, {
+                    certificateIdentityRegexp: `^https://github.com/docker/github-builder(-experimental)?/.github/workflows/bake.yml.*$`
+                  });
+                } catch (error) {
+                  core.setFailed(error);
+                  return;
+                }
+              });
+            }
       -
         name: Expose GitHub Runtime
         uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -145,7 +145,7 @@ on:
 
 env:
   BUILDX_VERSION: "v0.30.1"
-  BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
+  BUILDKIT_IMAGE: "moby/buildkit:master@sha256:84014da3581b2ff2c14cb4f60029cf9caa272b79e58f2e89c651ea6966d7a505" # TODO: pin to a specific version when signed gha cache feature is available
   SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
   BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56"
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.74.0"
@@ -170,6 +170,62 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Install Cosign
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
+        with:
+          script: |
+            const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
+            const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
+
+            const inpCosignVersion = core.getInput('cosign-version');
+
+            const cosignInstall = new Install();
+            const cosignBinPath = await cosignInstall.download({
+              version: core.getInput('cosign-version'),
+              ghaNoCache: true,
+              skipState: true,
+              verifySignature: true
+            });
+            const cosignPath = await cosignInstall.install(cosignBinPath);
+
+            const cosign = new Cosign();
+            await cosign.printVersion();
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          cache-binary: false
+          buildkitd-flags: --debug
+      -
+        name: Check dependencies signatures
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_IMAGES: |
+            ${{ env.BUILDKIT_IMAGE }}
+            ${{ env.SBOM_IMAGE }}
+            ${{ env.BINFMT_IMAGE }}
+        with:
+          script: |
+            const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
+
+            const sigstore = new Sigstore();
+
+            for (const image of core.getMultilineInput('images')) {
+              await core.group(`Verifying ${image}`, async () => {
+                try {
+                  await sigstore.verifyImageAttestations(image, {
+                    certificateIdentityRegexp: `^https://github.com/docker/github-builder(-experimental)?/.github/workflows/bake.yml.*$`
+                  });
+                } catch (error) {
+                  core.setFailed(error);
+                  return;
+                }
+              });
+            }
       -
         name: Expose GitHub Runtime
         uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
