sign test

tkatila · tkatila · commit c1feaf3fc42a · 2024-08-13T10:26:01.000+03:00
Signed-off-by: Tuomas Katila &lt;tuomas.katila@intel.com&gt;
diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml
@@ -1,16 +1,22 @@
 name: publish
 on:
+  workflow_dispatch:
   workflow_call:
     inputs:
       image_tag:
         default: "devel"
         required: false
         type: string
+      registry:
+        default: "docker.io/intel"
+        required: false
+        type: string
 env:
   no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']"
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   image:
@@ -20,27 +26,27 @@ jobs:
       fail-fast: false
       matrix:
         image:
-          - intel-fpga-admissionwebhook
-          - intel-fpga-initcontainer
-          - intel-gpu-initcontainer
+          #- intel-fpga-admissionwebhook
+          # - intel-fpga-initcontainer
+          # - intel-gpu-initcontainer
           - intel-gpu-plugin
-          - intel-fpga-plugin
-          - intel-qat-initcontainer
-          - intel-qat-plugin
-          - intel-deviceplugin-operator
-          - intel-sgx-admissionwebhook
-          - intel-sgx-plugin
-          - intel-sgx-initcontainer
-          - intel-dsa-plugin
-          - intel-iaa-plugin
-          - intel-idxd-config-initcontainer
-          - intel-dlb-plugin
-          - intel-dlb-initcontainer
-          - intel-xpumanager-sidecar
+          # - intel-fpga-plugin
+          # - intel-qat-initcontainer
+          # - intel-qat-plugin
+          # - intel-deviceplugin-operator
+          # - intel-sgx-admissionwebhook
+          # - intel-sgx-plugin
+          # - intel-sgx-initcontainer
+          # - intel-dsa-plugin
+          # - intel-iaa-plugin
+          # - intel-idxd-config-initcontainer
+          # - intel-dlb-plugin
+          # - intel-dlb-initcontainer
+          # - intel-xpumanager-sidecar
 
           # # Demo images
-          - crypto-perf
-          - opae-nlb-demo
+          #- crypto-perf
+          #- opae-nlb-demo
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
@@ -52,21 +58,57 @@ jobs:
         env:
           IMAGE_NAME: ${{ matrix.image }}
         run: |
-          REG=intel/ make ${IMAGE_NAME} BUILDER=docker
+          ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker
+      - name: List images
+        run: docker images
       - name: Trivy scan for image
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
         with:
           scan-type: image
-          image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
+          image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
           exit-code: 1
       - name: Test image base layer
         # Don't run base layer check for selected images
         if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
-        run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
+        run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
       - name: Login
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
+          registry: ghcr.io
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_PASS }}
-      - name: Push
-        run: docker push intel/${{ matrix.image }}:${{ inputs.image_tag }}
+      - name: Push & Pull
+        run: |
+          docker push ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
+          docker pull ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
+      - name: Get image digest
+        if: ${{ inputs.image_tag != 'devel' }}
+        id: digest
+        run: |
+          echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT
+      - name: Install OIDC Client from Core Package
+        run: npm install @actions/core@1.6.0 @actions/http-client
+      - name: Get Id Token
+        uses: actions/github-script@v6
+        id: idtoken
+        with:
+          script: |
+            const coredemo = require('@actions/core')
+            let id_token = await coredemo.getIDToken()
+            coredemo.setOutput('id_token', id_token)
+      - run: |
+          echo ${{ steps.idtoken.id_token }}
+      - name: Install cosign
+        if: ${{ inputs.image_tag != 'devel' }}
+        uses: sigstore/cosign-installer@v3.6.0
+      - name: Keyless image sign
+        if: ${{ inputs.image_tag != 'devel' }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          echo ${{ steps.digest.outputs.image_sha }}
+          cosign sign --yes ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
+        #cosign sign --yes ${{ steps.digest.outputs.image_sha }}
+      #- name: Verify the image signing
+      #  run: |
+      #    cosign verify  --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.image_sha }} --certificate-identity "https://github.com/saintmalik/sign-container-images/.github/workflows/keyless.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,18 @@
+name: Test
+on:
+  workflow_dispatch:
+  push:
+
+permissions:
+  contents: read
+  pull-requests: read
+  id-token: write
+
+jobs:
+  build:
+    name: Build & Publish
+    uses: "./.github/workflows/lib-publish.yaml"
+    secrets: inherit
+    with:
+      image_tag: v9.99.9
+      registry: ghcr.io/tkatila
