ci: add cosign support in the release worklow to increase supply chain security (#237)

Closes #216 Signed-off-by: Sanskar Bhushan <sbdtu5498@gmail.com> Signed-off-by: Akshay Gaikwad <akgaikwad001@gmail.com> Co-authored-by: Akshay Gaikwad <akgaikwad001@gmail.com>
2026-05-06 00:17:19 +00:00 · 2023-09-14 19:58:05 +05:30
parent 89265016ea
commit cf49d43b96
1 changed files with 31 additions and 18 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Create, publish container image
+name: Create, publish, sign and verify container image

 on:
  push:
@@ -10,7 +10,7 @@ env:

 jobs:

-  build-push:
+  build-push-sign-verify:
    strategy:
      matrix:
        os: [ubuntu-latest]
@@ -50,13 +50,9 @@ jobs:
        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=tag
-            type=ref,event=pr
-            type=sha

      - name: Build and push Docker image
+        id: build
        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9
        with:
          context: .
@@ -70,13 +66,9 @@ jobs:
        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-init
-          tags: |
-            type=ref,event=branch
-            type=ref,event=tag
-            type=ref,event=pr
-            type=sha

      - name: Build and push Docker image (paralus-init)
+        id: build-init
        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9
        with:
          context: .
@@ -91,13 +83,9 @@ jobs:
        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175
        with:
          images: ${{ env.REGISTRY }}/paralusio/kratos-synchronizer
-          tags: |
-            type=ref,event=branch
-            type=ref,event=tag
-            type=ref,event=pr
-            type=sha

      - name: Build and push Docker image (kratos-sync)
+        id: build-sync
        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9
        with:
          context: .
@@ -105,4 +93,29 @@ jobs:
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta-sync.outputs.tags }}
-          labels: ${{ steps.meta-sync.outputs.labels }}
+          labels: ${{ steps.meta-sync.outputs.labels }}
+      
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+
+      - name: Check Cosign
+        run: cosign version
+
+      - name: Sign Published Docker image using Cosign
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-init@${{ steps.build-init.outputs.digest }}  \
+            ${{ env.REGISTRY }}/paralusio/kratos-synchronizer@${{ steps.build-sync.outputs.digest }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        
+      - name: Verify Cosign Signature
+        run: |
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-init:${{ github.ref_name }}  \
+            ${{ env.REGISTRY }}/paralusio/kratos-synchronizer:${{ github.ref_name }}
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}