From bc879ab871508a66656befef3238b54acda822b5 Mon Sep 17 00:00:00 2001 From: Serge Logvinov Date: Sun, 6 Aug 2023 10:43:05 +0300 Subject: [PATCH] feat: cosign images It helps to check that image was build in github-actions. Signed-off-by: Serge Logvinov --- .dockerignore | 6 +++++- .github/dependabot.yml | 12 ++++++++++++ .github/workflows/build-edge.yaml | 12 ++++++++++++ .github/workflows/build-test.yaml | 8 +++++--- .github/workflows/charts.yaml | 3 ++- .github/workflows/conform.yaml | 1 + .github/workflows/release-charts.yaml | 2 ++ .github/workflows/release.yaml | 9 +++++++++ .gitignore | 4 ++++ Makefile | 6 ++++++ docs/cosign.md | 23 +++++++++++++++++++++++ 11 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 docs/cosign.md diff --git a/.dockerignore b/.dockerignore index babf8c8..2cbb06f 100644 --- a/.dockerignore +++ b/.dockerignore @@ -8,9 +8,13 @@ charts/ docs/ hack/ Dockerfile -# + # other *.md *.yml *.zip *.sql + +# cosign +/cosign.key +/cosign.pub diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f75dad3..7deb8e2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,18 @@ version: 2 updates: + - package-ecosystem: "github-actions" + directory: "/" + commit-message: + prefix: "chore:" + open-pull-requests-limit: 5 + rebase-strategy: disabled + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + timezone: "UTC" + - package-ecosystem: "gomod" directory: "/" commit-message: diff --git a/.github/workflows/build-edge.yaml b/.github/workflows/build-edge.yaml index dbc940f..f28446f 100644 --- a/.github/workflows/build-edge.yaml +++ b/.github/workflows/build-edge.yaml @@ -14,18 +14,23 @@ on: jobs: build-publish: name: "Build image and publish" + timeout-minutes: 15 runs-on: ubuntu-22.04 permissions: contents: read packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow + - name: Install Cosign + uses: sigstore/cosign-installer@v3.1.1 - name: Set up docker buildx run: make docker-init + - name: Github registry login uses: docker/login-action@v2 with: @@ -34,8 +39,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push + timeout-minutes: 10 run: make images env: USERNAME: ${{ github.repository_owner }} PUSH: "true" TAG: "edge" + - name: Sign images + timeout-minutes: 4 + run: make images-cosign + env: + USERNAME: ${{ github.repository_owner }} + TAG: "edge" diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 011a814..1afc5b8 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -14,6 +14,7 @@ on: jobs: build: name: Build + timeout-minutes: 15 runs-on: ubuntu-22.04 permissions: contents: read @@ -22,17 +23,18 @@ jobs: uses: actions/checkout@v3 - name: Set up go - uses: actions/setup-go@v3 + timeout-minutes: 5 + uses: actions/setup-go@v4 with: go-version-file: 'go.mod' - cache: true - name: Lint uses: golangci/golangci-lint-action@v3 with: - version: v1.52.2 + version: v1.53.3 args: --config=.golangci.yml - name: Unit run: make unit - name: Build + timeout-minutes: 10 run: make build diff --git a/.github/workflows/charts.yaml b/.github/workflows/charts.yaml index 2824ff2..e8ececc 100644 --- a/.github/workflows/charts.yaml +++ b/.github/workflows/charts.yaml @@ -10,6 +10,7 @@ on: jobs: helm-lint: name: Helm chart check + timeout-minutes: 5 runs-on: ubuntu-22.04 steps: - name: Checkout @@ -19,7 +20,7 @@ jobs: - name: Install chart-testing tools id: lint - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.4.0 - name: Run helm chart linter run: ct --config hack/ct.yml lint diff --git a/.github/workflows/conform.yaml b/.github/workflows/conform.yaml index 2b0a107..3815c71 100644 --- a/.github/workflows/conform.yaml +++ b/.github/workflows/conform.yaml @@ -8,6 +8,7 @@ on: jobs: conform: name: Conformance + timeout-minutes: 5 runs-on: ubuntu-22.04 steps: - name: Checkout diff --git a/.github/workflows/release-charts.yaml b/.github/workflows/release-charts.yaml index 4166f1c..830ee33 100644 --- a/.github/workflows/release-charts.yaml +++ b/.github/workflows/release-charts.yaml @@ -24,6 +24,8 @@ jobs: - name: Install Helm uses: azure/setup-helm@v3 + with: + version: v3.12.2 - name: Install Cosign uses: sigstore/cosign-installer@v3.1.1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c2e2d34..579aa50 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,18 +8,23 @@ on: jobs: build-publish: name: "Build image and publish" + timeout-minutes: 15 runs-on: ubuntu-22.04 permissions: contents: read packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow + - name: Install Cosign + uses: sigstore/cosign-installer@v3.1.1 - name: Set up docker buildx run: make docker-init + - name: Github registry login uses: docker/login-action@v2 with: @@ -28,6 +33,10 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push + timeout-minutes: 10 run: make images env: PUSH: "true" + - name: Sign images + timeout-minutes: 4 + run: make images-cosign diff --git a/.gitignore b/.gitignore index 5629af2..46ce63e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,7 @@ /kubeconfig /proxmox-config.yaml # + +# cosign +/cosign.key +/cosign.pub diff --git a/Makefile b/Makefile index aca693e..a08184c 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,8 @@ else BUILD_ARGS += --output type=docker endif +COSING_ARGS ?= + ############ # Help Menu @@ -135,3 +137,7 @@ images: ## Build images --build-arg SHA="$(SHA)" \ -t $(IMAGE):$(TAG) \ -f Dockerfile . + +.PHONY: images-cosign +images-cosign: + @cosign sign --yes $(COSING_ARGS) --recursive $(IMAGE):$(TAG) diff --git a/docs/cosign.md b/docs/cosign.md new file mode 100644 index 0000000..28ad27a --- /dev/null +++ b/docs/cosign.md @@ -0,0 +1,23 @@ +# Verify images + +We'll be employing [Cosing's](https://github.com/sigstore/cosign) keyless verifications to ensure that images were built in Github Actions. + +## Verify Helm chart + +We will verify the keyless signature using the Cosign protocol. + +```shell +cosign verify ghcr.io/sergelogvinov/charts/proxmox-cloud-controller-manager:0.1.5 --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/release-charts.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com +``` + +## Verify containers + +We will verify the keyless signature using the Cosign protocol. + +```shell +# Edge version +cosign verify ghcr.io/sergelogvinov/proxmox-cloud-controller-manager:edge --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/build-edge.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com + +# Releases +cosign verify ghcr.io/sergelogvinov/proxmox-cloud-controller-manager:v0.2.0 --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com +```