Skip to content
Multi-Stage Workflow

Fix Cosign image signing by using digest instead of tag to avoid sign… #92

Sign in to view logs

Fix Cosign image signing by using digest instead of tag to avoid sign…

Fix Cosign image signing by using digest instead of tag to avoid sign… #92

Workflow file for this run

.github/workflows/multi-stage-workflow.yml at 59d2a2b
name: Multi-Stage Workflow
on:
push:
branches: [ "main" ]
permissions:
contents: read
security-events: write
actions: read
jobs:
build: # This job builds and pushes the Docker image to Docker Hub.
name: Build and Push Docker Image & Sign Container Image
runs-on: "ubuntu-20.04"
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Install Cosign
uses: sigstore/cosign-installer@v3.6.0
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- id: docker_meta # used to generate image version tag
uses: docker/metadata-action@v5
with:
images: saurabhkr952/dev-portfolio
tags: type=sha,format=short
- name: Build and push
uses: docker/build-push-action@v6
id: build-and-push
with:
push: true
tags: saurabhkr952/dev-portfolio:${{ github.sha }}
platforms: linux/amd64,linux/arm64
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
# temp cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio@sha256:${{ github.sha }}
- name: Sign image with a key
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
env:
TAGS: saurabhkr952/dev-portfolio:${{ github.sha }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
scan_upload: #This job checks the vulnerability of the Container Vulnerability Check & Upload it.
name: Container Vulnerability Check
needs: build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'docker.io/saurabhkr952/dev-portfolio:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
update_manifest: # this job will update the kubernetes manifest files image version tag
runs-on: ubuntu-latest
needs:
- build
- scan_upload
steps:
- uses: actions/checkout@v4
with:
repository: saurabhkr952/dev-portfolio-manifest
ref: 'main'
token: ${{ secrets.PAT_TOKEN }}
- name: Setup git config and update manifest tag
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
sed -i 's+saurabhkr952/dev-portfolio:.*+saurabhkr952/dev-portfolio:${{ github.sha }}+g' deployment.yaml
git add .
git commit -s -m "Update image tag in deployment manifest - ${{ github.sha }}"
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.PAT_TOKEN }}
repository: saurabhkr952/dev-portfolio-manifest
force: true
slack-workflow-status: # send the status of the workflow that it is success,failed or cancelled
if: always()
name: Post Workflow Status To Slack
needs:
- build
- scan_upload
- update_manifest
runs-on: ubuntu-latest
permissions:
actions: 'read'
steps:
- name: Slack Workflow Notification
uses: Gamesight/slack-workflow-status@master
with:
repo_token: ${{ secrets.PAT_TOKEN }}
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
channel: '#general'
name: 'CI/CD Workflow Status'
icon_emoji: ':repeat:'
icon_url: 'https://avatars0.githubusercontent.com/u/1701160?s=96&v=4'