Skip to content

Commit 8eb5813

Browse files
authored
ci: sign Docker images using Cosign and GCP KMS (#31)
1 parent 41db170 commit 8eb5813

File tree

1 file changed

+33
-7
lines changed

1 file changed

+33
-7
lines changed

.github/workflows/ci.yml

Lines changed: 33 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
branches:
77
- master
88

9+
permissions:
10+
id-token: write
11+
contents: read
12+
913
jobs:
1014
build:
1115

@@ -36,12 +40,20 @@ jobs:
3640
- name: Setup Docker Buildx
3741
uses: docker/setup-buildx-action@v3
3842

39-
- name: Login to GCR
40-
uses: docker/login-action@v1
43+
- name: Authenticate to Google Cloud (OIDC)
44+
uses: google-github-actions/auth@v2
45+
id: auth
46+
with:
47+
token_format: access_token
48+
workload_identity_provider: "projects/783375390186/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
49+
service_account: "gha-cosign-artifact@ehealth-162117.iam.gserviceaccount.com"
50+
51+
- name: Login to GAR
52+
uses: docker/login-action@v3
4153
with:
42-
registry: eu.gcr.io
43-
username: _json_key
44-
password: ${{ secrets.GCR_JSON_KEY }}
54+
registry: europe-docker.pkg.dev
55+
username: oauth2accesstoken
56+
password: ${{ steps.auth.outputs.access_token }}
4557

4658
- name: Set image tag
4759
id: vars
@@ -51,12 +63,13 @@ jobs:
5163
echo "timestamp=$(date +'%s')" >> $GITHUB_OUTPUT
5264
5365
- name: Build and push images
54-
uses: docker/build-push-action@v2
66+
id: docker_build
67+
uses: docker/build-push-action@v6
5568
with:
5669
push: true
5770
context: .
5871
file: Dockerfile
59-
tags: eu.gcr.io/ehealth-162117/${{ steps.vars.outputs.project_name }}:${{ steps.vars.outputs.image_tag }}
72+
tags: europe-docker.pkg.dev/ehealth-162117/eu.gcr.io/${{ steps.vars.outputs.project_name }}:${{ steps.vars.outputs.image_tag }}
6073

6174
- run: |
6275
git config --global user.email "deployment@edenlab.com.ua"
@@ -65,3 +78,16 @@ jobs:
6578
git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/edenlabllc/uaddresses.web.git
6679
git push --follow-tags origin master
6780
continue-on-error: false
81+
82+
- name: Install Cosign
83+
uses: sigstore/cosign-installer@v3
84+
85+
- name: Sign image with cosign using digest
86+
env:
87+
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
88+
run: |
89+
echo "Signing digest: ${{ steps.docker_build.outputs.digest }}"
90+
cosign sign --tlog-upload=false \
91+
--yes \
92+
--key gcpkms://projects/ehealth-162117/locations/europe-west1/keyRings/ehealth/cryptoKeys/cosign-signer-key \
93+
europe-docker.pkg.dev/ehealth-162117/eu.gcr.io/${{ steps.vars.outputs.project_name }}@${{ steps.docker_build.outputs.digest }}

0 commit comments

Comments
 (0)