Skip to content

Commit 0e84b00

Browse files
stackable-botstackable-bot
committed
Update templated files to rev ec01d15 (#260)
Automatically created PR based on commit ec01d153883ed8bc0a34a14489a9aebcee415017 in stackabletech/operator-templating repo. Triggered by: Manual run triggered by: dervoeti with message [Sign container images in Nexus]
1 parent 923dbd1 commit 0e84b00

File tree

2 files changed

+14
-1
lines changed

2 files changed

+14
-1
lines changed

.github/workflows/build.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -282,6 +282,8 @@ jobs:
282282
- tests_passed
283283
- select_helm_repo
284284
runs-on: ubuntu-latest
285+
permissions:
286+
id-token: write
285287
env:
286288
NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
287289
HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }}
@@ -312,6 +314,8 @@ jobs:
312314
# Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
313315
# default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
314316
# This is needed for the HELM_REPO variable.
317+
- name: Set up Cosign
318+
uses: sigstore/[email protected]
315319
- name: Publish Docker image and Helm chart
316320
run: make -e publish
317321
# Output the name of the published image to the Job output for later use

Makefile

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,16 @@ docker-build:
3030

3131
docker-publish:
3232
echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}"
33-
docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}"
33+
DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\
34+
# Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
35+
REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
36+
if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
37+
echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\
38+
exit 1;\
39+
fi;\
40+
# This generates a signature and publishes it to the registry, next to the image\
41+
# Uses the keyless signing flow with Github Actions as identity provider\
42+
cosign sign -y ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE
3443

3544
# TODO remove if not used/needed
3645
docker: docker-build docker-publish

0 commit comments

Comments
 (0)