Merge pull request #694 from smallstep/max/docker-cosign

[action] sign and push sigs for multi-arch docker containers w/ cosign
This commit is contained in:
Max 2021-09-01 13:21:12 -07:00 committed by GitHub
commit 8a2b2db608
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 3 deletions

View file

@ -158,13 +158,25 @@ jobs:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: test needs: test
steps: steps:
- name: Checkout -
name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Setup Go -
name: Setup Go
uses: actions/setup-go@v2 uses: actions/setup-go@v2
with: with:
go-version: '1.16' go-version: '1.16'
- name: Build -
name: Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.1.0'
-
name: Write cosign key to disk
id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
-
name: Build
id: build id: build
run: | run: |
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
@ -172,3 +184,4 @@ jobs:
env: env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}

View file

@ -54,6 +54,8 @@ define DOCKER_BUILDX
# $(1) -- Image Tag # $(1) -- Image Tag
# $(2) -- Push (empty is no push | --push will push to dockerhub) # $(2) -- Push (empty is no push | --push will push to dockerhub)
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2) docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
endef endef
# For non-master builds don't build the docker containers. # For non-master builds don't build the docker containers.