public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Sign digests not tags. (#1840) 

The logic that was in here was signing the tags we publish, which has a race.  Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.
This commit is contained in:
Matt Moore 2021-12-17 15:43:15 -08:00 committed by GitHub
parent 2e8a13943f
commit 22f76bb65d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.github/workflows/release.yaml vendored
View File

@ -54,6 +54,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile
@ -72,9 +73,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:latest
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-debug:
env:
@ -124,6 +123,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_debug
@ -142,9 +142,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-warmer:
env:
@ -192,7 +190,9 @@ jobs:
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_warmer
@ -211,9 +211,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:latest
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
build-slim:
env:
@ -263,6 +261,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_slim
@ -281,7 +280,5 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}