github-personal/proxmox-cloud-controller-manager
1
0
Fork 0
mirror of https://github.com/outbackdingo/proxmox-cloud-controller-manager.git synced 2026-01-27 10:20:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: cosign images

Browse Source 
It helps to check that image was build in github-actions.

Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
This commit is contained in:
Serge Logvinov
2023-08-06 10:43:05 +03:00
committed by Serge
parent abd63a2b72
commit bc879ab871
11 changed files with 81 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.dockerignore
View File

@@ -8,9 +8,13 @@ charts/
docs/ docs/
hack/ hack/
Dockerfile Dockerfile
#
# other # other
*.md *.md
*.yml *.yml
*.zip *.zip
*.sql *.sql
# cosign
/cosign.key
/cosign.pub

12
.github/dependabot.yml vendored
View File

@@ -4,6 +4,18 @@
version: 2 version: 2
updates: updates:
- package-ecosystem: "github-actions"
directory: "/"
commit-message:
prefix: "chore:"
open-pull-requests-limit: 5
rebase-strategy: disabled
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
timezone: "UTC"
- package-ecosystem: "gomod" - package-ecosystem: "gomod"
directory: "/" directory: "/"
commit-message: commit-message:

12
.github/workflows/build-edge.yaml vendored
View File

@@ -14,18 +14,23 @@ on:
jobs: jobs:
build-publish: build-publish:
name: "Build image and publish" name: "Build image and publish"
timeout-minutes: 15
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: read contents: read
packages: write packages: write
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Unshallow - name: Unshallow
run: git fetch --prune --unshallow run: git fetch --prune --unshallow
- name: Install Cosign
uses: sigstore/cosign-installer@v3.1.1
- name: Set up docker buildx - name: Set up docker buildx
run: make docker-init run: make docker-init
- name: Github registry login - name: Github registry login
uses: docker/login-action@v2 uses: docker/login-action@v2
with: with:
@@ -34,8 +39,15 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push - name: Build and push
timeout-minutes: 10
run: make images run: make images
env: env:
USERNAME: ${{ github.repository_owner }} USERNAME: ${{ github.repository_owner }}
PUSH: "true" PUSH: "true"
TAG: "edge" TAG: "edge"
- name: Sign images
timeout-minutes: 4
run: make images-cosign
env:
USERNAME: ${{ github.repository_owner }}
TAG: "edge"

8
.github/workflows/build-test.yaml vendored
View File

@@ -14,6 +14,7 @@ on:
jobs: jobs:
build: build:
name: Build name: Build
timeout-minutes: 15
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: read contents: read
@@ -22,17 +23,18 @@ jobs:
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Set up go - name: Set up go
uses: actions/setup-go@v3 timeout-minutes: 5
uses: actions/setup-go@v4
with: with:
go-version-file: 'go.mod' go-version-file: 'go.mod'
cache: true
- name: Lint - name: Lint
uses: golangci/golangci-lint-action@v3 uses: golangci/golangci-lint-action@v3
with: with:
version: v1.52.2 version: v1.53.3
args: --config=.golangci.yml args: --config=.golangci.yml
- name: Unit - name: Unit
run: make unit run: make unit
- name: Build - name: Build
timeout-minutes: 10
run: make build run: make build

3
.github/workflows/charts.yaml vendored
View File

@@ -10,6 +10,7 @@ on:
jobs: jobs:
helm-lint: helm-lint:
name: Helm chart check name: Helm chart check
timeout-minutes: 5
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
@@ -19,7 +20,7 @@ jobs:
- name: Install chart-testing tools - name: Install chart-testing tools
id: lint id: lint
uses: helm/chart-testing-action@v2.3.1 uses: helm/chart-testing-action@v2.4.0
- name: Run helm chart linter - name: Run helm chart linter
run: ct --config hack/ct.yml lint run: ct --config hack/ct.yml lint

1
.github/workflows/conform.yaml vendored
View File

@@ -8,6 +8,7 @@ on:
jobs: jobs:
conform: conform:
name: Conformance name: Conformance
timeout-minutes: 5
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout

2
.github/workflows/release-charts.yaml vendored
View File

@@ -24,6 +24,8 @@ jobs:
- name: Install Helm - name: Install Helm
uses: azure/setup-helm@v3 uses: azure/setup-helm@v3
with:
version: v3.12.2
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3.1.1 uses: sigstore/cosign-installer@v3.1.1

9
.github/workflows/release.yaml vendored
View File

@@ -8,18 +8,23 @@ on:
jobs: jobs:
build-publish: build-publish:
name: "Build image and publish" name: "Build image and publish"
timeout-minutes: 15
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: read contents: read
packages: write packages: write
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Unshallow - name: Unshallow
run: git fetch --prune --unshallow run: git fetch --prune --unshallow
- name: Install Cosign
uses: sigstore/cosign-installer@v3.1.1
- name: Set up docker buildx - name: Set up docker buildx
run: make docker-init run: make docker-init
- name: Github registry login - name: Github registry login
uses: docker/login-action@v2 uses: docker/login-action@v2
with: with:
@@ -28,6 +33,10 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push - name: Build and push
timeout-minutes: 10
run: make images run: make images
env: env:
PUSH: "true" PUSH: "true"
- name: Sign images
timeout-minutes: 4
run: make images-cosign

4
.gitignore vendored
View File

@@ -5,3 +5,7 @@
/kubeconfig /kubeconfig
/proxmox-config.yaml /proxmox-config.yaml
# #
# cosign
/cosign.key
/cosign.pub

6
Makefile
View File

@@ -26,6 +26,8 @@ else
BUILD_ARGS += --output type=docker BUILD_ARGS += --output type=docker
endif endif
COSING_ARGS ?=
############ ############
# Help Menu # Help Menu
@@ -135,3 +137,7 @@ images: ## Build images
--build-arg SHA="$(SHA)" \ --build-arg SHA="$(SHA)" \
-t $(IMAGE):$(TAG) \ -t $(IMAGE):$(TAG) \
-f Dockerfile . -f Dockerfile .
.PHONY: images-cosign
images-cosign:
@cosign sign --yes $(COSING_ARGS) --recursive $(IMAGE):$(TAG)

23
docs/cosign.md Normal file
View File

@@ -0,0 +1,23 @@
# Verify images
We'll be employing [Cosing's](https://github.com/sigstore/cosign) keyless verifications to ensure that images were built in Github Actions.
## Verify Helm chart
We will verify the keyless signature using the Cosign protocol.
```shell
cosign verify ghcr.io/sergelogvinov/charts/proxmox-cloud-controller-manager:0.1.5 --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/release-charts.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
```
## Verify containers
We will verify the keyless signature using the Cosign protocol.
```shell
# Edge version
cosign verify ghcr.io/sergelogvinov/proxmox-cloud-controller-manager:edge --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/build-edge.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
# Releases
cosign verify ghcr.io/sergelogvinov/proxmox-cloud-controller-manager:v0.2.0 --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
```