|
54 | 54 | $TAGS \ |
55 | 55 | --file ./Dockerfile \ |
56 | 56 | --output type=image,push=true \ |
| 57 | + --iidfile std.digest \ |
57 | 58 | . |
58 | 59 |
|
| 60 | + - name: Export standard image digest |
| 61 | + run: | |
| 62 | + DIG=$(cat std.digest) |
| 63 | + echo "IMAGE_DIGEST=$DIG" >> $GITHUB_ENV |
| 64 | +
|
59 | 65 | - name: Build distroless image |
60 | 66 | run: | |
61 | 67 | TAGS="--tag ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}-dless" |
|
69 | 75 | $TAGS \ |
70 | 76 | --file ./Dockerfile.dless \ |
71 | 77 | --output type=image,push=true \ |
| 78 | + --iidfile dless.digest \ |
72 | 79 | . |
| 80 | + |
| 81 | + - name: Export distroless image digest |
| 82 | + run: | |
| 83 | + DIG=$(cat dless.digest) |
| 84 | + echo "DLESS_IMAGE_DIGEST=$DIG" >> $GITHUB_ENV |
| 85 | +
|
| 86 | +
|
| 87 | + - name: Install Cosign |
| 88 | + uses: sigstore/cosign-installer@v3.8.1 |
| 89 | + |
| 90 | + - name: Sign ghcr images |
| 91 | + shell: bash |
| 92 | + env: |
| 93 | + COSIGN_EXPERIMENTAL: 1 |
| 94 | + run: | |
| 95 | + cosign sign --yes ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }} |
| 96 | + cosign sign --yes ghcr.io/${{ github.repository }}@${{ env.DLESS_IMAGE_DIGEST }} |
| 97 | + |
| 98 | + - name: Sign docker hub images |
| 99 | + if: ${{ env.USE_DOCKER_HUB == 'true' }} |
| 100 | + shell: bash |
| 101 | + env: |
| 102 | + COSIGN_EXPERIMENTAL: 1 |
| 103 | + run: | |
| 104 | + cosign sign --yes ${{ secrets.DOCKER_HUB_REPO }}@${{ env.IMAGE_DIGEST }} |
| 105 | + cosign sign --yes ${{ secrets.DOCKER_HUB_REPO }}@${{ env.DLESS_IMAGE_DIGEST }} |
| 106 | +
|
| 107 | + - name: Verify ghcr image signatures |
| 108 | + shell: bash |
| 109 | + env: |
| 110 | + COSIGN_EXPERIMENTAL: 1 |
| 111 | + run: | |
| 112 | + cosign verify \ |
| 113 | + --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \ |
| 114 | + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ |
| 115 | + "ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }}" |
| 116 | +
|
| 117 | + cosign verify \ |
| 118 | + --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \ |
| 119 | + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ |
| 120 | + "ghcr.io/${{ github.repository }}@${{ env.DLESS_IMAGE_DIGEST }}" |
| 121 | + |
| 122 | + - name: Verify docker hub image signatures |
| 123 | + if: ${{ env.USE_DOCKER_HUB == 'true' }} |
| 124 | + shell: bash |
| 125 | + env: |
| 126 | + COSIGN_EXPERIMENTAL: 1 |
| 127 | + run: | |
| 128 | + cosign verify \ |
| 129 | + --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \ |
| 130 | + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ |
| 131 | + "${{ secrets.DOCKER_HUB_REPO }}@${{ env.IMAGE_DIGEST }}" |
| 132 | +
|
| 133 | + cosign verify \ |
| 134 | + --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \ |
| 135 | + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ |
| 136 | + "${{ secrets.DOCKER_HUB_REPO }}@${{ env.DLESS_IMAGE_DIGEST }}" |
0 commit comments