ci: sign images

Signed-off-by: Moritz Wanzenböck <moritz.wanzenboeck@linbit.com>

Author: WanzenBug

.github/workflows/build-docker.yaml

@@ -23,6 +23,9 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
+      - name: Set up cosign
+        uses: sigstore/cosign-installer@v3
+        if: ${{ github.event_name != 'pull_request' }}
       - name: login to Docker Hub
         if: ${{ github.event_name != 'pull_request' }}
         uses: docker/login-action@v3
@@ -36,14 +39,28 @@ jobs:
           registry: quay.io
           username: ${{ secrets.QUAYIO_USERNAME }}
           password: ${{ secrets.QUAYIO_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push
         uses: docker/bake-action@v5
+        id: bake
         with:
           builder: ${{ steps.buildx.outputs.name }}
           workdir: dockerfiles
           provenance: true
           sbom: true
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
+          targets: ktls-utils
         env:
           GIT_COMMIT: ${{ github.sha }}
           CACHE: true
+          REGISTRIES: ghcr.io/piraeusdatastore
+      - name: Sign images
+        run: |
+          jq '.[] | ."containerimage.digest" as $DIGEST | ."image.name" | split(",")[] | "\(.)@\($DIGEST)"' -r <<<'${{ steps.bake.outputs.metadata }}' \
+            | xargs cosign sign --yes

dockerfiles/docker-bake.hcl

@@ -25,10 +25,7 @@ variable VERSIONS {
 }
 
 variable "REGISTRIES" {
-  default = [
-    "quay.io/piraeusdatastore",
-    "docker.io/piraeusdatastore",
-  ]
+  default = "quay.io/piraeusdatastore,docker.io/piraeusdatastore"
 }
 
 # Replace all characters that are not supported in a target name with "-".
@@ -41,7 +38,7 @@ function "escape" {
 function "tags" {
   params = [name, version]
   result = flatten([
-    for registry in REGISTRIES :
+    for registry in split(",", REGISTRIES) :
     [
       // Full version
       "${registry}/${name}:v${version}",

dockerfiles/drbd-driver-loader/Dockerfile.centos7

@@ -1,7 +1,8 @@
 FROM centos:centos7
 MAINTAINER Roland Kammerer <roland.kammerer@linbit.com>
 
-RUN yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && \
+RUN sed -e 's/^mirrorlist=/#mirrorlist=/' -e 's%^#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%' -i /etc/yum.repos.d/*.repo && \
+    yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && \
 	yum install -y gcc make patch diffutils perl kmod && yum clean all -y
 
 ARG DRBD_VERSION