feat(docker): sign built images with cosign

neilime · neilime · commit d57f6cc6979e · 2025-07-09T15:38:56.000+02:00
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
@@ -20,7 +20,6 @@ permissions:
   pull-requests: write
   security-events: write
   statuses: write
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 concurrency:
diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
@@ -14,7 +14,6 @@ permissions:
   pull-requests: write
   security-events: write
   statuses: write
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 concurrency:
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -12,8 +12,6 @@ permissions:
   pull-requests: read
   security-events: write
   statuses: write
-  # yamllint disable-line rule:line-length
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -42,10 +40,6 @@ jobs:
     needs: linter
     uses: ./.github/workflows/__test-action-get-image-name.yml
 
-  test-action-helm-generate-docs:
-    needs: linter
-    uses: ./.github/workflows/__test-action-helm-generate-docs.yml
-
   test-action-helm-parse-chart-uri:
     needs: linter
     uses: ./.github/workflows/__test-action-helm-parse-chart-uri.yml
diff --git a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml
@@ -10,7 +10,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 env:
diff --git a/.github/workflows/__test-action-helm-generate-docs.yml b/.github/workflows/__test-action-helm-generate-docs.yml
diff --git a/.github/workflows/__test-action-helm-release-chart.yml b/.github/workflows/__test-action-helm-release-chart.yml
@@ -13,9 +13,6 @@ jobs:
   tests:
     name: Test for "helm/release-chart" action with simple chart
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/__test-action-helm-test-chart.yml b/.github/workflows/__test-action-helm-test-chart.yml
@@ -10,7 +10,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
diff --git a/.github/workflows/__test-workflow-docker-build-images.yml b/.github/workflows/__test-workflow-docker-build-images.yml
@@ -10,12 +10,12 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 # jscpd:ignore-start
 jobs:
   arrange:
+    name: Arrange
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -24,7 +24,8 @@ jobs:
             exit 1
           fi
 
-  act-build-arch:
+  act-build-images:
+    name: Act - Build multi-arch and mono-arch images
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -55,17 +56,18 @@ jobs:
           }
         ]
 
-  assert-build-arch:
-    needs: act-build-arch
+  assert-build-arch-mono-arch:
+    name: Assert - multi-arch and mono-arch builds
+    needs: act-build-images
     runs-on: "ubuntu-latest"
     steps:
-      - name: Check built images ouput
+      - name: Assert - built images output
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const builtImagesOutput = `${{ needs.act-build-arch.outputs.built-images }}`;
+            const builtImagesOutput = `${{ needs.act-build-images.outputs.built-images }}`;
             assert(builtImagesOutput.length, `"built-images" output is empty`);
 
             // Check if is valid Json
@@ -132,13 +134,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ github.token }}
 
-      - name: Check multi-arch docker image and manifest
+      - name: Assert - multi-arch docker image and manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-multi-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -194,13 +196,32 @@ jobs:
               assert.equal(annotations[key], value, `Expected annotation not found: ${key}`);
             });
 
-      - name: Check mono-arch docker image
+      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+
+      - name: Assert - signed multi-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images) }};
+
+            for(const image of images) {
+              await exec.exec(
+                'cosign',
+                [
+                  'verify', image,
+                  '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
+                  '--certificate-identity-regexp', 'https://github.com/hoverkraft-tech/ci-github-container',
+                ]
+              );
+            }
+
+      - name: Assert - mono-arch docker image
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-mono-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -239,7 +260,25 @@ jobs:
               );
             });
 
+      - name: Assert - signed mono-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images) }};
+
+            for(const image of images) {
+              await exec.exec(
+                'cosign',
+                [
+                  'verify', image,
+                  '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
+                  '--certificate-identity-regexp', 'https://github.com/hoverkraft-tech/ci-github-container',
+                ]
+              );
+            }
+
   act-build-args-secrets-and-registry-caching:
+    name: Act - Build with args, secrets and registry caching
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -275,6 +314,7 @@ jobs:
         SECRET_ENV_GITHUB_APP_TOKEN_2
 
   assert-build-args-secrets-and-registry-caching:
+    name: Assert - Build with args, secrets and registry caching
     needs: act-build-args-secrets-and-registry-caching
     runs-on: "ubuntu-latest"
     steps:
diff --git a/.github/workflows/docker-build-images.md b/.github/workflows/docker-build-images.md
@@ -19,7 +19,7 @@ Needs the following permissions:
 - `issues`: `read`
 - `packages`: `write`
 - `pull-requests`: `read`
-- `id-token`: `write` <!-- FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 -->
+- `id-token`: `write`
 
 <!-- end description -->
 <!-- start contents -->
@@ -39,7 +39,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
@@ -137,7 +137,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -500,3 +499,23 @@ jobs:
           oci-registry-username: ${{ inputs.oci-registry-username }}
           oci-registry-password: ${{ secrets.oci-registry-password }}
           built-images: ${{ steps.built-images.outputs.built-images }}
+
+      - id: get-images-to-sign
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const builtImagesInput = `${{ steps.built-images.outputs.built-images }}`;
+            let builtImages = null;
+            try {
+              builtImages = JSON.parse(builtImagesInput);
+            } catch (error) {
+              throw new Error(`"built-images" input is not a valid JSON: ${error}`);
+            }
+
+            // Get images to sign
+            const imagesToSign = Object.values(builtImages).map(image => image.images).flat();
+            core.setOutput('images-to-sign', JSON.stringify(imagesToSign));
+      - uses: ./self-workflow/actions/docker/sign-images
+        with:
+          images: ${{ steps.get-images-to-sign.outputs.images-to-sign }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/actions/docker/create-images-manifests/action.yml b/actions/docker/create-images-manifests/action.yml
@@ -91,12 +91,13 @@ runs:
               )
               .flat().join(" ");
 
-            createManifestCommand = `docker buildx imagetools create ${annotations} ${tags} ${digests}`;
+            const createManifestCommand = `docker buildx imagetools create ${annotations} ${tags} ${digests}`;
 
             return new Promise(async (resolve, reject)  => {
               try {
                 await exec.exec(createManifestCommand);
                 core.debug(`Create manifest for "${builtImage.name}" ("${createManifestCommand}") executed`);
+
                 resolve();
               } catch(error){
                 reject(error);
diff --git a/actions/docker/sign-images/README.md b/actions/docker/sign-images/README.md
@@ -0,0 +1,37 @@
+<!-- start title -->
+
+# <img src=".github/ghadocs/branding.svg" width="60px" align="center" alt="branding<icon:package color:gray-dark>" /> GitHub Action: Docker - Sign Images
+
+<!-- end title -->
+<!--
+// jscpd:ignore-start
+-->
+<!-- markdownlint-disable MD013 -->
+<!-- start badges -->
+<!-- end badges -->
+<!-- markdownlint-enable MD013 -->
+<!--
+// jscpd:ignore-end
+-->
+<!-- start description -->
+<!-- end description -->
+<!-- start contents -->
+<!-- end contents -->
+
+If default GitHub token is used, the following permissions are required:
+
+```yml
+permissions:
+  id-token: write
+```
+
+<!-- start usage -->
+<!-- end usage -->
+<!-- start inputs -->
+<!-- end inputs -->
+<!-- markdownlint-disable MD013 -->
+<!-- start outputs -->
+<!-- end outputs -->
+<!-- markdownlint-enable MD013 -->
+<!-- start [.github/ghadocs/examples/] -->
+<!-- end [.github/ghadocs/examples/] -->
diff --git a/actions/docker/sign-images/action.yml b/actions/docker/sign-images/action.yml
diff --git a/tests/charts/application/README.md b/tests/charts/application/README.md
diff --git a/tests/charts/umbrella-application/README.md b/tests/charts/umbrella-application/README.md
diff --git a/tests/charts/umbrella-application/charts/app/README.md b/tests/charts/umbrella-application/charts/app/README.md
