sign images with cosign

Signed-off-by: cpanato <[email protected]>

.github/workflows/release.yml

@@ -12,7 +12,13 @@ env:
 jobs:
   release:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
+
       - name: Check out code into the Go module directory
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
@@ -23,18 +29,39 @@ jobs:
         with:
           go-version-file: go.mod
           check-latest: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+
+      - name: Install crane
+        uses: uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
+
       - name: Login to dockerhub to push the image
         run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin
         env:
           DOCKER_USER: ${{ secrets.DockerHubUser }}
+
+      - name: Login to DockerHub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DockerHubUser }}
+          password: ${{ secrets.DockerHubToken }}
+
       - name: Publish Docker Image
         env:
           VERSION: ${{ github.event.inputs.tag }}
         run: make ci publish
+
+      - name: Sign Image and copy to ghcr.io
+        env:
+          VERSION: ${{ github.event.inputs.tag }}
+        run: make sign
+
       - name: run make bump-version
         run: make bump-version
         env:
           NEW_VERSION: ${{ github.event.inputs.tag }}
+
       - name: commit manifests
         uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3
         with:

.github/workflows/test.yml

@@ -29,6 +29,11 @@ jobs:
 
   release-dev-image:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
     needs: test
     if: github.ref == 'refs/heads/master'
     steps:
@@ -43,10 +48,12 @@ jobs:
           go-version-file: go.mod
           check-latest: true
 
-      - name: Login to dockerhub to push the image
-        run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin
-        env:
-          DOCKER_USER: ${{ secrets.DockerHubUser }}
+      - name: Login to DockerHub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DockerHubUser }}
+          password: ${{ secrets.DockerHubToken }}
+
       - name: build and push new CCM dev image
         run: |
-          VERSION=dev make publish
+          VERSION=dev make publish sign

Makefile

@@ -23,6 +23,7 @@ COMMIT ?= $(shell git rev-parse HEAD)
 BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 VERSION ?= $(shell cat VERSION)
 REGISTRY ?= digitalocean
+REGISTRY_GHCR ?= ghcr.io/digitalocean
 GO_VERSION ?= $(shell go mod edit -print | grep -E '^go [[:digit:].]*' | cut -d' ' -f2)
 
 LDFLAGS ?= -X github.com/digitalocean/digitalocean-cloud-controller-manager/cloud-controller-manager/do.version=$(VERSION) -X github.com/digitalocean/digitalocean-cloud-controller-manager/vendor/k8s.io/kubernetes/pkg/version.gitVersion=$(VERSION) -X github.com/digitalocean/digitalocean-cloud-controller-manager/vendor/k8s.io/kubernetes/pkg/version.gitCommit=$(COMMIT) -X github.com/digitalocean/digitalocean-cloud-controller-manager/vendor/k8s.io/kubernetes/pkg/version.gitTreeState=$(GIT_TREE_STATE)
@@ -89,6 +90,9 @@ else
 	@echo "==> Your image is now available at $(REGISTRY)/digitalocean-cloud-controller-manager:$(VERSION)"
 endif
 
+sign:
+	@cosign sign --yes $(REGISTRY)/digitalocean-cloud-controller-manager@$(shell crane digest $(REGISTRY)/digitalocean-cloud-controller-manager:$(VERSION))
+
 .PHONY: govet
 govet:
 	@go vet $(shell go list ./... | grep -v vendor)