Skip to content

Commit 1559722

Browse files
chore(ci): sign container images with ddsign (#1065)
## Summary - Sign the image for ci image jobs per [instruction](https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/2744681107/Image+Integrity+User+Guide) Fixes: https://datadoghq.atlassian.net/browse/SVLS-8644 Co-authored-by: tianning.li <tianning.li@datadoghq.com>
1 parent 7bc7e7c commit 1559722

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

.gitlab-ci.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,15 @@ ci image:
2323
changes:
2424
- .gitlab/Dockerfile
2525
when: on_success
26+
id_tokens:
27+
DDSIGN_ID_TOKEN:
28+
aud: image-integrity
2629
variables:
2730
DOCKER_TARGET: ${DOCKER_TARGET_IMAGE}:${DOCKER_TARGET_VERSION}
2831
script:
29-
- docker buildx build --platform linux/amd64,linux/arm64 --no-cache --pull --push --tag ${DOCKER_TARGET} -f .gitlab/Dockerfile .
32+
- METADATA_FILE=$(mktemp)
33+
- docker buildx build --platform linux/amd64,linux/arm64 --no-cache --pull --push --tag ${DOCKER_TARGET} --metadata-file ${METADATA_FILE} -f .gitlab/Dockerfile .
34+
- ddsign sign ${DOCKER_TARGET} --docker-metadata-file ${METADATA_FILE}
3035

3136
.go-cache: &go-cache
3237
key: datadog-lambda-extension-go-cache

0 commit comments

Comments
 (0)