Update templated files to rev ec01d15 (#355)

Automatically created PR based on commit ec01d153883ed8bc0a34a14489a9aebcee415017 in stackabletech/operator-templating repo. Triggered by: Manual run triggered by: dervoeti with message [Sign container images in Nexus]
stackabletech · Jul 14, 2023 · 689dca5 · 689dca5
1 parent cb369e5
commit 689dca5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -282,6 +282,8 @@ jobs:
       - tests_passed
       - select_helm_repo
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     env:
       NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
       HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }}
@@ -312,6 +314,8 @@ jobs:
         # Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
         # default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
         # This is needed for the HELM_REPO variable.
+      - name: Set up Cosign
+        uses: sigstore/[email protected]
       - name: Publish Docker image and Helm chart
         run: make -e publish
         # Output the name of the published image to the Job output for later use

diff --git a/Makefile b/Makefile
@@ -30,7 +30,16 @@ docker-build:
 
 docker-publish:
 	echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}"
-	docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}"
+	DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\
+	# Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
+	REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
+	if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
+		echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\
+		exit 1;\
+	fi;\
+	# This generates a signature and publishes it to the registry, next to the image\
+	# Uses the keyless signing flow with Github Actions as identity provider\
+	cosign sign -y ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE
 
 # TODO remove if not used/needed
 docker: docker-build docker-publish