Skip to content

Commit 9e5338a

Browse files
cpanatocpanato
committed
sign images and also copy to ghcr.io for releases and main branch
Signed-off-by: cpanato <[email protected]>
1 parent fcc0510 commit 9e5338a

File tree

3 files changed

+62
-5
lines changed

3 files changed

+62
-5
lines changed

.github/workflows/release.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,14 @@ env:
1212
jobs:
1313
release:
1414
runs-on: ubuntu-latest
15+
16+
permissions:
17+
contents: read
18+
packages: write
19+
id-token: write
20+
1521
steps:
22+
1623
- name: Check out code into the Go module directory
1724
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
1825
with:
@@ -23,18 +30,46 @@ jobs:
2330
with:
2431
go-version-file: go.mod
2532
check-latest: true
33+
34+
- name: Install cosign
35+
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
36+
37+
- name: Install crane
38+
uses: uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
39+
2640
- name: Login to dockerhub to push the image
2741
run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin
2842
env:
2943
DOCKER_USER: ${{ secrets.DockerHubUser }}
44+
45+
- name: Login to DockerHub
46+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
47+
with:
48+
username: ${{ secrets.DockerHubUser }}
49+
password: ${{ secrets.DockerHubToken }}
50+
51+
- name: Login to GitHub Docker Registry
52+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
53+
with:
54+
registry: ghcr.io
55+
username: ${{ github.repository_owner }}
56+
password: ${{ secrets.GITHUB_TOKEN }}
57+
3058
- name: Publish Docker Image
3159
env:
3260
VERSION: ${{ github.event.inputs.tag }}
3361
run: make ci publish
62+
63+
- name: Sign Image and copy to ghcr.io
64+
env:
65+
VERSION: ${{ github.event.inputs.tag }}
66+
run: make sign copy-ghcr
67+
3468
- name: run make bump-version
3569
run: make bump-version
3670
env:
3771
NEW_VERSION: ${{ github.event.inputs.tag }}
72+
3873
- name: commit manifests
3974
uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3
4075
with:

.github/workflows/test.yml

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,12 @@ jobs:
2929

3030
release-dev-image:
3131
runs-on: ubuntu-latest
32+
33+
permissions:
34+
contents: read
35+
packages: write
36+
id-token: write
37+
3238
needs: test
3339
if: github.ref == 'refs/heads/master'
3440
steps:
@@ -43,10 +49,19 @@ jobs:
4349
go-version-file: go.mod
4450
check-latest: true
4551

46-
- name: Login to dockerhub to push the image
47-
run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin
48-
env:
49-
DOCKER_USER: ${{ secrets.DockerHubUser }}
52+
- name: Login to DockerHub
53+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
54+
with:
55+
username: ${{ secrets.DockerHubUser }}
56+
password: ${{ secrets.DockerHubToken }}
57+
58+
- name: Login to GitHub Docker Registry
59+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
60+
with:
61+
registry: ghcr.io
62+
username: ${{ github.repository_owner }}
63+
password: ${{ secrets.GITHUB_TOKEN }}
64+
5065
- name: build and push new CCM dev image
5166
run: |
52-
VERSION=dev make publish
67+
VERSION=dev make publish sign copy-ghcr

Makefile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ COMMIT ?= $(shell git rev-parse HEAD)
2323
BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
2424
VERSION ?= $(shell cat VERSION)
2525
REGISTRY ?= digitalocean
26+
REGISTRY_GHCR ?= ghcr.io/digitalocean
2627
GO_VERSION ?= $(shell go mod edit -print | grep -E '^go [[:digit:].]*' | cut -d' ' -f2)
2728

2829
LDFLAGS ?= -X github.com/digitalocean/digitalocean-cloud-controller-manager/cloud-controller-manager/do.version=$(VERSION) -X github.com/digitalocean/digitalocean-cloud-controller-manager/vendor/k8s.io/kubernetes/pkg/version.gitVersion=$(VERSION) -X github.com/digitalocean/digitalocean-cloud-controller-manager/vendor/k8s.io/kubernetes/pkg/version.gitCommit=$(COMMIT) -X github.com/digitalocean/digitalocean-cloud-controller-manager/vendor/k8s.io/kubernetes/pkg/version.gitTreeState=$(GIT_TREE_STATE)
@@ -89,6 +90,12 @@ else
8990
@echo "==> Your image is now available at $(REGISTRY)/digitalocean-cloud-controller-manager:$(VERSION)"
9091
endif
9192

93+
sign:
94+
@cosign sign --yes $(REGISTRY)/digitalocean-cloud-controller-manager@$(shell crane digest $(REGISTRY)/digitalocean-cloud-controller-manager:$(VERSION))
95+
96+
copy-ghcr:
97+
@cosign copy $(REGISTRY)/digitalocean-cloud-controller-manager:$(VERSION) $(REGISTRY_GHCR)/digitalocean-cloud-controller-manager:$(VERSION)
98+
9299
.PHONY: govet
93100
govet:
94101
@go vet $(shell go list ./... | grep -v vendor)

0 commit comments

Comments
 (0)