public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Start keyless signing kaniko releases (#1841)

This commit is contained in:
Matt Moore 2021-12-17 16:52:51 -08:00 committed by GitHub
parent 22f76bb65d
commit c87f8efd07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.github/workflows/release.yaml vendored
View File

@ -7,6 +7,12 @@ on:
jobs:
build-executor:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
@ -71,11 +77,20 @@ jobs:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- run: |
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-debug:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
@ -140,11 +155,20 @@ jobs:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- run: |
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-warmer:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
@ -209,11 +233,20 @@ jobs:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- run: |
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
build-slim:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
@ -278,7 +311,9 @@ jobs:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- run: |
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}