Skip to content

Commit

Permalink
Sign digests not tags.
Browse files Browse the repository at this point in the history 
The logic that was in here was signing the tags we publish, which has a race.  Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.
  • Loading branch information
@mattmoor
mattmoor committed Dec 17, 2021
1 parent 2e8a139 commit 47995cc
Showing 1 changed file with 9 additions and 12 deletions.
21 changes: 9 additions & 12 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile
Expand All @@ -72,9 +73,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:latest
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-debug:
env:
Expand Down Expand Up @@ -124,6 +123,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_debug
Expand All @@ -142,9 +142,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-warmer:
env:
Expand Down Expand Up @@ -192,7 +190,9 @@ jobs:
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_warmer
Expand All @@ -211,9 +211,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:latest
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
build-slim:
env:
Expand Down Expand Up @@ -263,6 +261,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_slim
Expand All @@ -281,7 +280,5 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}

0 comments on commit 47995cc

Please sign in to comment.