feat: cosign images

It helps to check that image was build in github-actions.

Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>

.dockerignore

@@ -8,9 +8,13 @@ charts/
 docs/
 hack/
 Dockerfile
-#
+
 # other
 *.md
 *.yml
 *.zip
 *.sql
+
+# cosign
+/cosign.key
+/cosign.pub

.github/dependabot.yml

@@ -4,6 +4,18 @@
 
 version: 2
 updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    commit-message:
+      prefix: "chore:"
+    open-pull-requests-limit: 5
+    rebase-strategy: disabled
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "UTC"
+
   - package-ecosystem: "gomod"
     directory: "/"
     commit-message:

.github/workflows/build-edge.yaml

@@ -14,18 +14,23 @@ on:
 jobs:
   build-publish:
     name: "Build image and publish"
+    timeout-minutes: 15
     runs-on: ubuntu-22.04
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Unshallow
         run: git fetch --prune --unshallow
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
       - name: Set up docker buildx
         run: make docker-init
+
       - name: Github registry login
         uses: docker/login-action@v2
         with:
@@ -34,8 +39,15 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
+        timeout-minutes: 10
         run: make images
         env:
           USERNAME: ${{ github.repository_owner }}
           PUSH: "true"
           TAG: "edge"
+      - name: Sign images
+        timeout-minutes: 4
+        run: make images-cosign
+        env:
+          USERNAME: ${{ github.repository_owner }}
+          TAG: "edge"

.github/workflows/build-test.yaml

@@ -14,6 +14,7 @@ on:
 jobs:
   build:
     name: Build
+    timeout-minutes: 15
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -22,17 +23,18 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Set up go
-        uses: actions/setup-go@v3
+        timeout-minutes: 5
+        uses: actions/setup-go@v4
         with:
           go-version-file: 'go.mod'
-          cache: true
 
       - name: Lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.52.2
+          version: v1.53.3
           args: --config=.golangci.yml
       - name: Unit
         run: make unit
       - name: Build
+        timeout-minutes: 10
         run: make build

.github/workflows/charts.yaml

@@ -10,6 +10,7 @@ on:
 jobs:
   helm-lint:
     name: Helm chart check
+    timeout-minutes: 5
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -19,7 +20,7 @@ jobs:
 
       - name: Install chart-testing tools
         id: lint
-        uses: helm/chart-testing-action@v2.3.1
+        uses: helm/chart-testing-action@v2.4.0
 
       - name: Run helm chart linter
         run: ct --config hack/ct.yml lint

.github/workflows/conform.yaml

@@ -8,6 +8,7 @@ on:
 jobs:
   conform:
     name: Conformance
+    timeout-minutes: 5
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout

.github/workflows/release-charts.yaml

@@ -24,6 +24,8 @@ jobs:
 
       - name: Install Helm
         uses: azure/setup-helm@v3
+        with:
+          version: v3.12.2
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.1.1
 

.github/workflows/release.yaml

@@ -8,18 +8,23 @@ on:
 jobs:
   build-publish:
     name: "Build image and publish"
+    timeout-minutes: 15
     runs-on: ubuntu-22.04
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Unshallow
         run: git fetch --prune --unshallow
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
       - name: Set up docker buildx
         run: make docker-init
+
       - name: Github registry login
         uses: docker/login-action@v2
         with:
@@ -28,6 +33,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
+        timeout-minutes: 10
         run: make images
         env:
           PUSH: "true"
+      - name: Sign images
+        timeout-minutes: 4
+        run: make images-cosign

.gitignore

@@ -5,3 +5,7 @@
 /kubeconfig
 /proxmox-config.yaml
 #
+
+# cosign
+/cosign.key
+/cosign.pub

Makefile

@@ -26,6 +26,8 @@ else
 BUILD_ARGS += --output type=docker
 endif
 
+COSING_ARGS ?=
+
 ############
 
 # Help Menu
@@ -135,3 +137,7 @@ images: ## Build images
 		--build-arg SHA="$(SHA)" \
 		-t $(IMAGE):$(TAG) \
 		-f Dockerfile .
+
+.PHONY: images-cosign
+images-cosign:
+	@cosign sign --yes $(COSING_ARGS) --recursive $(IMAGE):$(TAG)

docs/cosign.md

@@ -0,0 +1,23 @@
+# Verify images
+
+We'll be employing [Cosing's](https://github.com/sigstore/cosign) keyless verifications to ensure that images were built in Github Actions.
+
+## Verify Helm chart
+
+We will verify the keyless signature using the Cosign protocol.
+
+```shell
+cosign verify ghcr.io/sergelogvinov/charts/proxmox-cloud-controller-manager:0.1.5 --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/release-charts.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
+```
+
+## Verify containers
+
+We will verify the keyless signature using the Cosign protocol.
+
+```shell
+# Edge version
+cosign verify ghcr.io/sergelogvinov/proxmox-cloud-controller-manager:edge --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/build-edge.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
+
+# Releases
+cosign verify ghcr.io/sergelogvinov/proxmox-cloud-controller-manager:v0.2.0 --certificate-identity https://github.com/sergelogvinov/proxmox-cloud-controller-manager/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
+```