Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign remaining images with cosign #9615

Merged
merged 6 commits into from Apr 29, 2024
Merged

Sign remaining images with cosign #9615

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
abf2f53
Sign remaining images with cosign
JamieMagee Apr 25, 2024
89bac9e
Merge branch 'main' into jamiemagee/cosign-sign-updater-core
JamieMagee Apr 26, 2024
b1d46c9
Merge branch 'main' into jamiemagee/cosign-sign-updater-core
JamieMagee Apr 26, 2024
74fbc24
Merge branch 'main' into jamiemagee/cosign-sign-updater-core
JamieMagee Apr 29, 2024
691a597
Merge branch 'main' into jamiemagee/cosign-sign-updater-core
GarryHurleyJr Apr 29, 2024
578817b
Merge branch 'main' into jamiemagee/cosign-sign-updater-core
GarryHurleyJr Apr 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/images-latest.yml
View file
Open in desktop
@@ -1,7 +1,7 @@
name: Latest images
env:
UPDATER_IMAGE: "ghcr.io/dependabot/dependabot-updater-"
on: # yamllint disable-line rule:truthy
on: # yamllint disable-line rule:truthy
push:
branches:
- main
Expand All @@ -27,6 +27,7 @@ jobs:
needs: date-version
permissions:
contents: read
id-token: write
packages: write
strategy:
fail-fast: false
Expand Down Expand Up @@ -60,6 +61,8 @@ jobs:
with:
submodules: recursive

- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Build the dependabot-updater-<ecosystem> image
# despite the script input being $NAME, the resulting image is dependabot-updater-${ECOSYSTEM}
run: script/build ${NAME}
Expand All @@ -74,7 +77,10 @@ jobs:
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

- name: Push the images to GHCR
run: docker push --all-tags "${UPDATER_IMAGE}${ECOSYSTEM}"
run: |
docker push --all-tags "${UPDATER_IMAGE}${ECOSYSTEM}"
# All tags should resolve to the same digest so we only need to look up one of them
cosign sign --yes $(cosign triangulate --type=digest "${UPDATER_IMAGE}${ECOSYSTEM}:latest")

- name: Set summary
run: |
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/images-updater-core.yml
View file
Open in desktop
@@ -1,7 +1,7 @@
name: Updater-Core image
env:
UPDATER_CORE_IMAGE: "ghcr.io/dependabot/dependabot-updater-core"
on: # yamllint disable-line rule:truthy
on: # yamllint disable-line rule:truthy
push:
branches:
- main
Expand All @@ -14,12 +14,16 @@ jobs:
if: github.repository == 'dependabot/dependabot-core'
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive

- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Build dependabot-updater-core image
run: script/build common
- name: Log in to GHCR
Expand All @@ -28,6 +32,8 @@ jobs:
- name: Push latest image
run: |
docker push "$UPDATER_CORE_IMAGE:latest"
cosign sign --yes $(cosign triangulate --type=digest "$UPDATER_CORE_IMAGE:latest")
JamieMagee marked this conversation as resolved.
Show resolved Hide resolved

- name: Push tagged image
if: contains(github.ref, 'refs/tags')
run: |
Expand Down