Skip to content

Commit 8563273

Browse files
npasquinnpasquin
npasquin
authored and
npasquin
committed
ci: add cosign image signing with Vault Transit
- Add cosign installation step (v2.4.1) - Add Vault AppRole authentication using vault-action - Sign images with Vault Transit key (hashivault://cosign-key) - Get image digest via skopeo inspect for immutable signing - Disable GHCR push temporarily (Harbor only) - Update build summary with signing info
1 parent 70d48ec commit 8563273

1 file changed

Lines changed: 57 additions & 13 deletions

File tree

.github/workflows/ci.yml

Lines changed: 57 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -120,11 +120,12 @@ jobs:
120120
- name: Build application JAR
121121
run: ./gradlew assembly:buildFatJar --no-daemon --parallel -x test
122122

123-
- name: Log in to GHCR
124-
id: ghcr_login
125-
continue-on-error: true
126-
run: |
127-
echo "${{ secrets.GHCR_PAT }}" | docker login ${{ env.GHCR_REGISTRY }} -u "${{ github.actor }}" --password-stdin
123+
# GHCR login disabled - Harbor only for now
124+
# - name: Log in to GHCR
125+
# id: ghcr_login
126+
# continue-on-error: true
127+
# run: |
128+
# echo "${{ secrets.GHCR_PAT }}" | docker login ${{ env.GHCR_REGISTRY }} -u "${{ github.actor }}" --password-stdin
128129

129130
- name: Build Docker image
130131
run: |
@@ -136,9 +137,15 @@ jobs:
136137
-t ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }} \
137138
-f ./Dockerfile .
138139
139-
- name: Install skopeo
140+
- name: Install skopeo and cosign
140141
run: |
141142
sudo apt-get update && sudo apt-get install -y skopeo
143+
# Install cosign
144+
COSIGN_VERSION="v2.4.1"
145+
curl -sLO "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
146+
chmod +x cosign-linux-amd64
147+
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
148+
cosign version
142149
143150
- name: Push to Harbor with skopeo
144151
run: |
@@ -152,12 +159,48 @@ jobs:
152159
docker-daemon:${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }} \
153160
docker://${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }}
154161
155-
- name: Tag and push to GHCR (backup)
156-
if: steps.ghcr_login.outcome == 'success'
162+
# GHCR push disabled - Harbor only for now
163+
# - name: Tag and push to GHCR (backup)
164+
# if: steps.ghcr_login.outcome == 'success'
165+
# run: |
166+
# docker tag ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }} \
167+
# ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}
168+
# docker push ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}
169+
170+
- name: Get image digest
171+
id: digest
172+
run: |
173+
DIGEST=$(skopeo inspect --creds "${{ secrets.HARBOR_USERNAME }}:${{ secrets.HARBOR_PASSWORD }}" \
174+
docker://${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }} \
175+
| jq -r '.Digest')
176+
echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
177+
echo "Image digest: ${DIGEST}"
178+
179+
- name: Authenticate to Vault
180+
uses: hashicorp/vault-action@v3
181+
with:
182+
url: ${{ secrets.VAULT_ADDR }}
183+
method: approle
184+
roleId: ${{ secrets.VAULT_ROLE_ID }}
185+
secretId: ${{ secrets.VAULT_SECRET_ID }}
186+
exportToken: true
187+
188+
- name: Sign image with cosign
189+
env:
190+
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
191+
VAULT_TOKEN: ${{ env.VAULT_TOKEN }}
192+
TRANSIT_SECRET_ENGINE_PATH: operator-transit
157193
run: |
158-
docker tag ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }} \
159-
${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}
160-
docker push ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}
194+
IMAGE_REF="${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}@${{ steps.digest.outputs.digest }}"
195+
echo "Signing image: ${IMAGE_REF}"
196+
197+
cosign sign --yes \
198+
--key hashivault://cosign-key \
199+
--registry-username "${{ secrets.HARBOR_USERNAME }}" \
200+
--registry-password "${{ secrets.HARBOR_PASSWORD }}" \
201+
"${IMAGE_REF}"
202+
203+
echo "Image signed successfully"
161204
162205
- name: Summary
163206
run: |
@@ -167,7 +210,8 @@ jobs:
167210
echo "- \`${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }}\`" >> $GITHUB_STEP_SUMMARY
168211
echo "- \`${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }}\`" >> $GITHUB_STEP_SUMMARY
169212
echo "" >> $GITHUB_STEP_SUMMARY
170-
echo "### GHCR (Backup)" >> $GITHUB_STEP_SUMMARY
171-
echo "- \`${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}\`" >> $GITHUB_STEP_SUMMARY
213+
echo "### Signing" >> $GITHUB_STEP_SUMMARY
214+
echo "- **Digest:** \`${{ steps.digest.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
215+
echo "- **Signed with:** Vault Transit (cosign-key)" >> $GITHUB_STEP_SUMMARY
172216
echo "" >> $GITHUB_STEP_SUMMARY
173217
echo "**Commit:** \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY

0 commit comments

Comments
 (0)