From cbb03577e939d9b8415bd9eb02fe9cb18d5256a7 Mon Sep 17 00:00:00 2001 From: 6C656C65 <73671374+6C656C65@users.noreply.github.com> Date: Fri, 2 May 2025 14:20:25 +0200 Subject: [PATCH 1/6] Add github action for signing Docker Images --- .github/workflows/docker-images.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 29db1f2..8e7367c 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -20,6 +20,7 @@ jobs: permissions: contents: read packages: write + id-token: write steps: - name: Checkout repository @@ -54,4 +55,16 @@ jobs: docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} - docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest \ No newline at end of file + docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.1.1 + + - name: Sign Docker images with Cosign (OIDC) + env: + COSIGN_EXPERIMENTAL: "1" + run: | + cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} + cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest + cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim + cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim \ No newline at end of file From 86288f41613dff0a2352c59915b8ffa1815ed49f Mon Sep 17 00:00:00 2001 From: 6C656C65 <73671374+6C656C65@users.noreply.github.com> Date: Fri, 2 May 2025 14:35:31 +0200 Subject: [PATCH 2/6] Fix Cosign by adding --yes flag --- .github/workflows/docker-images.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 8e7367c..6aa25a4 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -29,6 +29,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 + - name: Install Cosign + uses: sigstore/cosign-installer@v3.8.1 + - name: Log in to GitHub Container Registry run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin @@ -57,14 +60,11 @@ jobs: docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - - name: Install Cosign - uses: sigstore/cosign-installer@v3.1.1 - - name: Sign Docker images with Cosign (OIDC) env: COSIGN_EXPERIMENTAL: "1" run: | - cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} - cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim - cosign sign ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim \ No newline at end of file + cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} + cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest + cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim + cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim \ No newline at end of file From 3ef5e812ba5aabad8c596eace009008c5344114b Mon Sep 17 00:00:00 2001 From: 6C656C65 <73671374+6C656C65@users.noreply.github.com> Date: Fri, 2 May 2025 14:56:14 +0200 Subject: [PATCH 3/6] Cosign use key pair --- .github/workflows/docker-images.yml | 24 +++++++++++++++--------- cosign.pub | 4 ++++ 2 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 cosign.pub diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 6aa25a4..375adb5 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -24,16 +24,20 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Install Cosign uses: sigstore/cosign-installer@v3.8.1 - name: Log in to GitHub Container Registry - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + uses: docker/login-action@v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Get version from version.py id: get_version @@ -60,11 +64,13 @@ jobs: docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - - name: Sign Docker images with Cosign (OIDC) + - name: Sign the publisehd Docker image env: - COSIGN_EXPERIMENTAL: "1" + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | - cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} - cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim - cosign sign --yes ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim \ No newline at end of file + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} \ No newline at end of file diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..7d1f415 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEUeaD2IefyJvBbZvUxygbBaM1/TA +2dgFXxehw6kRMvNFByRGVvIwx7ovWCYWHX4wPuOT7TKphYF0afKiB1ym9Q== +-----END PUBLIC KEY----- From 013676f88eb375c3e683178798ea198c9fc940c3 Mon Sep 17 00:00:00 2001 From: 6C656C65 <73671374+6C656C65@users.noreply.github.com> Date: Fri, 2 May 2025 14:59:27 +0200 Subject: [PATCH 4/6] fix env already defined --- .github/workflows/docker-images.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 375adb5..6d27984 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -65,12 +65,11 @@ jobs: docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - name: Sign the publisehd Docker image - env: - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} \ No newline at end of file From 2be1ac519e2845e96a1a5974a5410071cc752b2f Mon Sep 17 00:00:00 2001 From: 6C656C65 <73671374+6C656C65@users.noreply.github.com> Date: Fri, 2 May 2025 17:13:02 +0200 Subject: [PATCH 5/6] test signing with privkey --- .github/workflows/docker-images.yml | 42 ++++++++++++++++------------- 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 6d27984..df817a7 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -49,27 +49,33 @@ jobs: - name: Convert repository owner to lowercase run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV - - name: Build Docker image - run: | - docker build -t ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} -t ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest . - - - name: Build Docker slim image - run: | - docker build -f Dockerfile.slim -t ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim -t ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim . + - id: docker_meta + uses: docker/metadata-action@v5.6.1 + with: + images: | + ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim + ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim + ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} + ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest + tags: type=sha,format=long - - name: Push Docker image - run: | - docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim - docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim - docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} - docker push ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest + - name: Build and Push Docker images + uses: docker/build-push-action@v6.14.0 + id: build-and-push + with: + platforms: linux/amd64,linux/arm/v7,linux/arm64 + push: true + tags: ${{ steps.docker_meta.outputs.tags }} - name: Sign the publisehd Docker image run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }}-slim - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} env: + TAGS: ${{ steps.docker_meta.outputs.tags }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} \ No newline at end of file + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} \ No newline at end of file From 0345df88ae7d67d6cf728188cb57fe5e2f709b02 Mon Sep 17 00:00:00 2001 From: 6C656C65 <73671374+6C656C65@users.noreply.github.com> Date: Fri, 2 May 2025 17:19:17 +0200 Subject: [PATCH 6/6] test without digest --- .github/workflows/docker-images.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index df817a7..1fab2d8 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -57,7 +57,7 @@ jobs: ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest-slim ghcr.io/${{ env.REPO_OWNER }}/pyproxy:${{ env.VERSION }} ghcr.io/${{ env.REPO_OWNER }}/pyproxy:latest - tags: type=sha,format=long + tags: type=raw - name: Build and Push Docker images uses: docker/build-push-action@v6.14.0 @@ -71,11 +71,10 @@ jobs: run: | images="" for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " + images+="${tag}" done cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} env: TAGS: ${{ steps.docker_meta.outputs.tags }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} \ No newline at end of file + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} \ No newline at end of file