chore: signed release for containerd

Signed-off-by: Gaius <[email protected]>
dragonflyoss · Sep 18, 2024 · 678aa47 · 678aa47
1 parent 759a70e
commit 678aa47
Showing 1 changed file with 39 additions and 1 deletion.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -6,6 +6,9 @@ on:
       - main
     tags:
       - v*
+  pull_request:
+    branches: [main, release-*]
+    paths-ignore: ["**.md", "**.png", "**.jpg", "**.svg", "**/docs/**"]
 
 permissions:  
   contents: read
@@ -64,6 +67,9 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-buildx-
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Login Docker Hub
         uses: docker/[email protected]
         with:
@@ -76,7 +82,10 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify base image
+        run: |          
+          cosign dockerfile verify --base-image-only --key https://github.com/GoogleContainerTools/distroless build/images/${{ matrix.module }}/Dockerfile
 
       - name: Push to Registry
         uses: docker/[email protected]
@@ -85,8 +94,12 @@ jobs:
           platforms: ${{ matrix.platforms }}
           file: build/images/${{ matrix.module }}/Dockerfile
           labels: |-
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
           build-args: |
             GITVERSION=git-${{ steps.vars.outputs.git_revision }}
             VERSION=${{ steps.get_version.outputs.VERSION }}
@@ -97,6 +110,31 @@ jobs:
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
+      - name: Sign container image
+        run: |
+            cosign sign --key env://COSIGN_KEY dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+            cosign sign --key env://COSIGN_KEY ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+
+      - name: Check images
+        run: |
+          docker buildx imagetools inspect dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+          docker pull dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+          cosign verify --key cosign.pub dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }} 
+          docker buildx imagetools inspect ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+          docker pull ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+          cosign verify --key cosign.pub ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }} 
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+
       - name: Move cache
         run: |
           rm -rf /tmp/.buildx-cache