ci: name external-action steps and add keyless Cosign image signing#39
Conversation
Two CI hygiene/supply-chain improvements across all five workflows. Step names: every `uses:` step that lacked a `name:` now has a descriptive one (Check out, Set up Buildx, Set up ORAS, Log in to GHCR, Install Cosign, Set up Node.js, Set up Python, Upload deploy-info …), matching the style used in axionhypothesis's build-images workflow. Keyless Cosign signing on every build-and-push: - build.yml — sign the pushed manifest. - build-thailand.yml — sign the overlay (gated by the existing `proceed`). - release.yml — sign both fallback builds. The normal promote path (oras tag) only re-tags the digest build*.yml already signed, so the signature carries forward and a promoted image needs no re-signing. Each signing job gains `id-token: write` (OIDC -> Sigstore Fulcio/Rekor, no long-lived keys). Cosign installed via sigstore/cosign-installer pinned to its commit SHA (# v4.1.2) with cosign-release v3.1.1. Images are signed by digest, so the sha-<short> and moving/version tags are covered by one call; an inline `cosign verify` recipe documents verification. test.yml and deploy-thailand.yml get names only — neither builds and pushes an image. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
WalkthroughFour GitHub Actions workflow files are updated to integrate keyless Cosign image signing. Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
What
Two CI hygiene / supply-chain improvements across all five workflows.
1. Step names on every external-action step
Every
uses:step that lacked aname:now has a descriptive one —Check out,Set up Buildx,Set up ORAS,Log in to GHCR,Install Cosign,Set up Node.js,Set up Python,Upload deploy-info …— matching the naming style inaxionhypothesis/.github/workflows/build-images.yaml.2. Keyless Cosign signing on every build-and-push
build.ymlBuild and pushbuild-thailand.ymlBuild and push (overlay)(gated by the existingproceedflag)release.yml…mode == 'build'Each signing job gains
id-token: write(OIDC → Sigstore Fulcio for a short-lived cert, recorded in Rekor — no long-lived keys). Cosign is installed viasigstore/cosign-installerpinned to its commit SHA (# v4.1.2, the latest action release) withcosign-release: v3.1.1(latest cosign binary). Images are signed by digest, so thesha-<short>and moving/version tags are all covered by one call; an inlinecosign verifyrecipe documents verification.Why
release.ymlsigns only the fallback builds: its normal path promotes viaoras tag, which adds the version tag to the exact manifest digest thatbuild.yml/build-thailand.ymlalready signed. The signature is attached to the digest and carries forward, so promoted images need no re-signing.test.ymlanddeploy-thailand.ymlget names only — neither builds-and-pushes an image (test.yml's docker build ispush: false;deploy-thailand.ymlonly pins GitOps manifests).Verification
actionlintpasses on all five workflows.uses:remains unnamed.🤖 Generated with Claude Code
Summary by CodeRabbit