Skip to content

ci: name external-action steps and add keyless Cosign image signing#39

Merged
sangwa merged 1 commit into
mainfrom
ci/cosign-keyless-signing
Jun 21, 2026
Merged

ci: name external-action steps and add keyless Cosign image signing#39
sangwa merged 1 commit into
mainfrom
ci/cosign-keyless-signing

Conversation

@sangwa

@sangwa sangwa commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

What

Two CI hygiene / supply-chain improvements across all five workflows.

1. Step names on every external-action step

Every uses: step that lacked a name: now has a descriptive one — Check out, Set up Buildx, Set up ORAS, Log in to GHCR, Install Cosign, Set up Node.js, Set up Python, Upload deploy-info … — matching the naming style in axionhypothesis/.github/workflows/build-images.yaml.

2. Keyless Cosign signing on every build-and-push

Workflow Signed step(s)
build.yml the main Build and push
build-thailand.yml the Build and push (overlay) (gated by the existing proceed flag)
release.yml both fallback builds (regular + thai), each gated on …mode == 'build'

Each signing job gains id-token: write (OIDC → Sigstore Fulcio for a short-lived cert, recorded in Rekor — no long-lived keys). Cosign is installed via sigstore/cosign-installer pinned to its commit SHA (# v4.1.2, the latest action release) with cosign-release: v3.1.1 (latest cosign binary). Images are signed by digest, so the sha-<short> and moving/version tags are all covered by one call; an inline cosign verify recipe documents verification.

Why release.yml signs only the fallback builds: its normal path promotes via oras tag, which adds the version tag to the exact manifest digest that build.yml / build-thailand.yml already signed. The signature is attached to the digest and carries forward, so promoted images need no re-signing.

test.yml and deploy-thailand.yml get names only — neither builds-and-pushes an image (test.yml's docker build is push: false; deploy-thailand.yml only pins GitOps manifests).

Verification

  • actionlint passes on all five workflows.
  • Confirmed no step-level uses: remains unnamed.
  • cosign-installer SHA + both version pins resolved live from the GitHub API.

Note for reviewers / ops: the signing jobs require id-token: write, already added to each job's permissions. Keyless signing uses Sigstore's public-good Fulcio + Rekor — no new repo secrets needed.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Implemented keyless Cosign signing for Docker images to enhance security and enable artifact verification
    • Enhanced CI/CD workflows with explicit setup steps and improved deployment pipeline configuration
    • Updated workflow step naming for better clarity and maintainability

Two CI hygiene/supply-chain improvements across all five workflows.

Step names: every `uses:` step that lacked a `name:` now has a
descriptive one (Check out, Set up Buildx, Set up ORAS, Log in to GHCR,
Install Cosign, Set up Node.js, Set up Python, Upload deploy-info …),
matching the style used in axionhypothesis's build-images workflow.

Keyless Cosign signing on every build-and-push:
- build.yml — sign the pushed manifest.
- build-thailand.yml — sign the overlay (gated by the existing `proceed`).
- release.yml — sign both fallback builds. The normal promote path
  (oras tag) only re-tags the digest build*.yml already signed, so the
  signature carries forward and a promoted image needs no re-signing.

Each signing job gains `id-token: write` (OIDC -> Sigstore Fulcio/Rekor,
no long-lived keys). Cosign installed via
sigstore/cosign-installer pinned to its commit SHA (# v4.1.2) with
cosign-release v3.1.1. Images are signed by digest, so the sha-<short>
and moving/version tags are covered by one call; an inline `cosign
verify` recipe documents verification.

test.yml and deploy-thailand.yml get names only — neither builds and
pushes an image.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36613022-30f3-4605-815f-060630e9e8af

📥 Commits

Reviewing files that changed from the base of the PR and between 11c2b67 and 6fc5bd8.

📒 Files selected for processing (5)
  • .github/workflows/build-thailand.yml
  • .github/workflows/build.yml
  • .github/workflows/deploy-thailand.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml

Walkthrough

Four GitHub Actions workflow files are updated to integrate keyless Cosign image signing. build.yml and build-thailand.yml add id-token: write OIDC permissions, install Cosign, and add a Sign image with Cosign step that signs the pushed image by manifest digest using cosign sign --yes. release.yml similarly adds OIDC permissions and Cosign signing steps for both the regular and Thailand images, but only on the fallback build promotion path; a comment clarifies that ORAS-promoted tags share the same digest and need no re-signing. release.yml also splits the deploy-info artifact upload into a dedicated step for production.json. Minor cosmetic changes (explicit step names, YAML reordering) are applied to deploy-thailand.yml and test.yml without altering behavior.


Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes


Possibly related PRs

  • EternisAI/agent-sandbox#31: Adds the Thailand sandbox image build workflow (build-thailand.yml), which this PR extends with OIDC permissions and a Cosign digest-signing step.
  • EternisAI/agent-sandbox#35: Refactors image digest capture for deploy-info and promotion paths in build.yml and release.yml, which are the same digests this PR now passes to cosign sign.

Poem

🐇 Hop, hop, the images are signed today,
With OIDC tokens sent Fulcio's way.
No secret keys, just ephemeral certs,
Each manifest digest now cryptographically hurts
Any imposter who dares forge our art —
The bunny has signed it right from the heart! 🔏

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: name external-action steps and add keyless Cosign image signing' accurately summarizes the two main changes: naming CI steps and implementing keyless Cosign signing across workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/cosign-keyless-signing

Comment @coderabbitai help to get the list of available commands and usage tips.

@sangwa sangwa merged commit 5a43635 into main Jun 21, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant