Fix Cosign image signing by using digest instead of tag to avoid sign… #91
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Multi-Stage Workflow | |
on: | |
push: | |
branches: [ "main" ] | |
permissions: | |
contents: read | |
security-events: write | |
actions: read | |
jobs: | |
build: # This job builds and pushes the Docker image to Docker Hub. | |
name: Build and Push Docker Image & Sign Container Image | |
runs-on: "ubuntu-20.04" | |
steps: | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@v3.6.0 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- id: docker_meta # used to generate image version tag | |
uses: docker/metadata-action@v5 | |
with: | |
images: saurabhkr952/dev-portfolio | |
tags: type=sha,format=short | |
- name: Build and push | |
uses: docker/build-push-action@v6 | |
id: build-and-push | |
with: | |
push: true | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
platforms: linux/amd64,linux/arm64 | |
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
# temp cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio@sha256:${{ github.sha }} | |
- name: Sign image with a key | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images} | |
env: | |
TAGS: ${{ steps.docker_meta.outputs.tags }} | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
scan_upload: #This job checks the vulnerability of the Container Vulnerability Check & Upload it. | |
name: Container Vulnerability Check | |
needs: build | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe | |
with: | |
image-ref: 'docker.io/saurabhkr952/dev-portfolio:${{ github.sha }}' | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'trivy-results.sarif' | |
severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
update_manifest: # this job will update the kubernetes manifest files image version tag | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
- scan_upload | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: saurabhkr952/dev-portfolio-manifest | |
ref: 'main' | |
token: ${{ secrets.PAT_TOKEN }} | |
- name: Setup git config and update manifest tag | |
run: | | |
git config --local user.email "action@github.com" | |
git config --local user.name "GitHub Action" | |
sed -i 's+saurabhkr952/dev-portfolio:.*+saurabhkr952/dev-portfolio:${{ github.sha }}+g' deployment.yaml | |
git add . | |
git commit -s -m "Update image tag in deployment manifest - ${{ github.sha }}" | |
- name: Push changes | |
uses: ad-m/github-push-action@master | |
with: | |
github_token: ${{ secrets.PAT_TOKEN }} | |
repository: saurabhkr952/dev-portfolio-manifest | |
force: true | |
slack-workflow-status: # send the status of the workflow that it is success,failed or cancelled | |
if: always() | |
name: Post Workflow Status To Slack | |
needs: | |
- build | |
- scan_upload | |
- update_manifest | |
runs-on: ubuntu-latest | |
permissions: | |
actions: 'read' | |
steps: | |
- name: Slack Workflow Notification | |
uses: Gamesight/slack-workflow-status@master | |
with: | |
repo_token: ${{ secrets.PAT_TOKEN }} | |
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
channel: '#general' | |
name: 'CI/CD Workflow Status' | |
icon_emoji: ':repeat:' | |
icon_url: 'https://avatars0.githubusercontent.com/u/1701160?s=96&v=4' |