Skip to content

Commit

Permalink
Sign digests not tags. (GoogleContainerTools#1840)
Browse files Browse the repository at this point in the history 
The logic that was in here was signing the tags we publish, which has a race.  Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.
  • Loading branch information
@mattmoor @gcalmettes-fbox
mattmoor authored and gcalmettes-fbox committed Dec 24, 2021
1 parent 9378e45 commit 524de6c
Showing 1 changed file with 9 additions and 12 deletions.
21 changes: 9 additions & 12 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile
Expand All @@ -72,9 +73,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:latest
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-debug:
env:
Expand Down Expand Up @@ -124,6 +123,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_debug
Expand All @@ -142,9 +142,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:debug
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-warmer:
env:
Expand Down Expand Up @@ -192,7 +190,9 @@ jobs:
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_warmer
Expand All @@ -211,9 +211,7 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:latest
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
build-slim:
env:
Expand Down Expand Up @@ -263,6 +261,7 @@ jobs:
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_slim
Expand All @@ -281,7 +280,5 @@ jobs:
# Use cosign to sign the images
- run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:slim
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}

0 comments on commit 524de6c

Please sign in to comment.