Automatically sign containers

ukri-excalibur · Nov 7, 2023 · e972cfc · e972cfc
1 parent d0f3cc6
commit e972cfc
Showing 1 changed file with 36 additions and 5 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -9,6 +9,8 @@ on:
 env:
   SPACK_COLOR: always
   SPACK_BACKTRACE: please
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ukri-excalibur/github-actions-buildcache
 
 jobs:
   rebuild:
@@ -22,7 +24,7 @@ jobs:
 
     - name: Install Spack
       run: |
-        git clone --depth=1 https://github.com/spack/spack.git
+        git clone --depth=1 --branch=oci/dump-oci-digest-upon-upload https://github.com/haampie/spack.git
         echo "${PWD}/spack/bin/" >> "${GITHUB_PATH}"
 
     - name: Spack version
@@ -45,7 +47,7 @@ jobs:
     - name: Push packages and update index
       timeout-minutes: 10
       run: |
-        spack -e . buildcache push -j $(($(nproc) + 1)) --unsigned --update-index excalibur-buildcache
+        spack -e . buildcache push -j $(($(nproc) + 1)) --oci-output-digests digests.txt --unsigned --update-index excalibur-buildcache
       if: always()
 
     # Install the cosign tool except on PR
@@ -56,7 +58,36 @@ jobs:
       with:
         cosign-release: 'v1.13.1'
 
-    - name: Setup tmate session
-      uses: mxschmitt/action-tmate@v3
+    # Login against a Docker registry except on PR
+    # https://github.com/docker/login-action
+    - name: Log into registry
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v2
       with:
-        limit-access-to-actor: true
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.REGISTRY_TOKEN }}
+
+    - name: Write signing key to disk (only needed for `cosign sign --key`)
+      run: echo "${{ secrets.COSIGN_PRIVATE_KEY  }}" > cosign.key
+
+    # Sign the resulting Docker image digest except on PRs.
+    # This will only write to the public Rekor transparency log when the Docker
+    # repository is public to avoid leaking data.  If you would like to publish
+    # transparency data even for private images, pass --force to cosign below.
+    # https://github.com/sigstore/cosign
+    - name: Sign the published images
+      if: ${{ github.event_name != 'pull_request' }}
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+        COSIGN_PASSWORD: ""
+      # This step uses the identity token to provision an ephemeral certificate
+      # against the sigstore community Fulcio instance.
+      run: |
+        DIGESTS="$(cat digests.txt)"
+        if [[ -n "${DIGESTS}" ]]; then
+            for image in ${DIGESTS}; do
+                echo "Signing ${image}..."
+                cosign sign --key cosign.key "${image}"
+            done
+        fi