forked from TrueCloudLab/certificates
Merge pull request #694 from smallstep/max/docker-cosign
[action] sign and push sigs for multi-arch docker containers w/ cosign
This commit is contained in:
commit
8a2b2db608
2 changed files with 18 additions and 3 deletions
19
.github/workflows/release.yml
vendored
19
.github/workflows/release.yml
vendored
|
@ -158,13 +158,25 @@ jobs:
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-20.04
|
||||||
needs: test
|
needs: test
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
-
|
||||||
|
name: Checkout
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
- name: Setup Go
|
-
|
||||||
|
name: Setup Go
|
||||||
uses: actions/setup-go@v2
|
uses: actions/setup-go@v2
|
||||||
with:
|
with:
|
||||||
go-version: '1.16'
|
go-version: '1.16'
|
||||||
- name: Build
|
-
|
||||||
|
name: Install cosign
|
||||||
|
uses: sigstore/cosign-installer@main
|
||||||
|
with:
|
||||||
|
cosign-release: 'v1.1.0'
|
||||||
|
-
|
||||||
|
name: Write cosign key to disk
|
||||||
|
id: write_key
|
||||||
|
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
||||||
|
-
|
||||||
|
name: Build
|
||||||
id: build
|
id: build
|
||||||
run: |
|
run: |
|
||||||
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
||||||
|
@ -172,3 +184,4 @@ jobs:
|
||||||
env:
|
env:
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
||||||
|
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
||||||
|
|
|
@ -54,6 +54,8 @@ define DOCKER_BUILDX
|
||||||
# $(1) -- Image Tag
|
# $(1) -- Image Tag
|
||||||
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
||||||
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
||||||
|
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
|
||||||
|
|
||||||
endef
|
endef
|
||||||
|
|
||||||
# For non-master builds don't build the docker containers.
|
# For non-master builds don't build the docker containers.
|
||||||
|
|
Loading…
Reference in a new issue