public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Start keyless signing kaniko releases (#1841)

This commit is contained in:
Matt Moore 2021-12-17 16:52:51 -08:00 committed by GitHub
parent 22f76bb65d
commit c87f8efd07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
.github/workflows/release.yaml vendored
View File

@ -7,6 +7,12 @@ on:
jobs: jobs:
build-executor: build-executor:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env: env:
GITHUB_SHA: ${{ github.sha }} GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }} GITHUB_REF: ${{ github.ref }}
@ -71,11 +77,20 @@ jobs:
cosign-release: 'v1.4.1' cosign-release: 'v1.4.1'
# Use cosign to sign the images # Use cosign to sign the images
- run: | - env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-debug: build-debug:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env: env:
GITHUB_SHA: ${{ github.sha }} GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }} GITHUB_REF: ${{ github.ref }}
@ -116,7 +131,7 @@ jobs:
project_id: kaniko-project project_id: kaniko-project
export_default_credentials: true export_default_credentials: true
# Configure docker to use the gcloud command-line tool as a credential helper # Configure docker to use the gcloud command-line tool as a credential helper
- run: | - run: |
# Set up docker to authenticate # Set up docker to authenticate
# via gcloud command-line tool. # via gcloud command-line tool.
@ -126,7 +141,7 @@ jobs:
id: build-and-push id: build-and-push
with: with:
context: . context: .
file: ./deploy/Dockerfile_debug file: ./deploy/Dockerfile_debug
platforms: ${{ env.PLATFORMS }} platforms: ${{ env.PLATFORMS }}
push: true push: true
tags: | tags: |
@ -139,12 +154,21 @@ jobs:
with: with:
cosign-release: 'v1.4.1' cosign-release: 'v1.4.1'
# Use cosign to sign the images # Use cosign to sign the images
- run: | - env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-warmer: build-warmer:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env: env:
GITHUB_SHA: ${{ github.sha }} GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }} GITHUB_REF: ${{ github.ref }}
@ -208,12 +232,21 @@ jobs:
with: with:
cosign-release: 'v1.4.1' cosign-release: 'v1.4.1'
# Use cosign to sign the images # Use cosign to sign the images
- run: | - env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }} cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
build-slim: build-slim:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env: env:
GITHUB_SHA: ${{ github.sha }} GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }} GITHUB_REF: ${{ github.ref }}
@ -278,7 +311,9 @@ jobs:
cosign-release: 'v1.4.1' cosign-release: 'v1.4.1'
# Use cosign to sign the images # Use cosign to sign the images
- run: | - env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}