Skip to content

Add sign-public-ecr-image job to release workflow #1362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wangzlei merged 1 commit into from
Apr 17, 2026
+50 −0
Merged

Add sign-public-ecr-image job to release workflow #1362

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/release-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,3 +528,53 @@ jobs:
${{ env.ARTIFACT_NAME }}.sha256 \
layer.zip \
layer.zip.sha256

sign-public-ecr-image:
runs-on: ubuntu-latest
needs: publish-sdk
steps:
- name: Configure AWS Credentials for public ECR
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
with:
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}

# Install notation CLI with AWS Signer plugin
- name: Install notation CLI with AWS Signer plugin
run: |
curl -Lo aws-signer-notation-cli_amd64.deb https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
Copy link
Copy Markdown

@github-actions github-actions Bot Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Binary downloaded without integrity verification

The notation CLI .deb package is downloaded from a CloudFront URL using the mutable latest tag, with no checksum or signature verification before installing via dpkg. If the CDN or distribution endpoint is compromised, a malicious binary would be silently installed and then used to sign your release images.

Consider pinning to a specific version and verifying its SHA256 checksum, e.g.:

run: |
  NOTATION_VERSION="1.3.0"  # pin to a known version
  NOTATION_SHA256="<expected-sha256>"
  curl -Lo aws-signer-notation-cli_amd64.deb \
    "https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/${NOTATION_VERSION}/aws-signer-notation-cli_amd64.deb"
  echo "${NOTATION_SHA256}  aws-signer-notation-cli_amd64.deb" | sha256sum -c -
  sudo dpkg -i aws-signer-notation-cli_amd64.deb

This is the same supply-chain hardening principle behind pinning GitHub Actions to commit SHAs (which this workflow already does correctly).

sudo dpkg -i aws-signer-notation-cli_amd64.deb
notation version
notation plugin ls

# Query ECR signing profile ARN
- name: Query ECR Signing Profile ARN
id: ecr-signing-profile
run: |
PROFILE_ARN=$(aws signer list-signing-profiles --region ${{ env.AWS_PUBLIC_ECR_REGION }} --query "profiles[?profileName=='ADOTECRSigningProfile'].arn" --output text 2>/dev/null)
Copy link
Copy Markdown

@github-actions github-actions Bot Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: stderr suppression masks real AWS CLI errors. Redirecting stderr to /dev/null on the aws signer list-signing-profiles call (2>/dev/null) means that real failures like authentication errors, network timeouts, permission denied, and throttling are silently suppressed and treated identically to profile-not-found. The job would succeed without signing even when the profile exists but credentials are misconfigured. Consider removing 2>/dev/null and checking the exit code explicitly. If the AWS CLI call fails, the step should fail rather than silently skip. You could also use workflow warning annotations when the profile genuinely does not exist, so operators have visibility into skipped signing during releases. Note: the same 2>/dev/null pattern exists in the publish-layer-prod job (line 305) but is less critical there since that step uses continue-on-error: true.

if [ -n "$PROFILE_ARN" ]; then
echo "profile_arn=$PROFILE_ARN" >> $GITHUB_OUTPUT
echo "Found ECR signing profile: $PROFILE_ARN"
else
echo "ECR signing profile 'ADOTECRSigningProfile' not found"
Copy link
Copy Markdown

@github-actions github-actions Bot Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Silent success when signing profile is missing may be too permissive for a release workflow. When the profile is not found, this exits 0 and subsequent steps are skipped via conditionals - the entire job reports success without any image being signed. For a release pipeline, consider making this a hard failure (exit 1) or at minimum emitting a GitHub Actions warning annotation so that release operators are aware signing was skipped. A release that ships unsigned images when signing was intended could be a compliance gap.

exit 0
fi

# Login to Public ECR
- name: Log in to AWS public ECR
if: steps.ecr-signing-profile.outputs.profile_arn != ''
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
with:
registry: public.ecr.aws

# Sign Public ECR Image
- name: Sign Public ECR Image
if: steps.ecr-signing-profile.outputs.profile_arn != ''
run: |
# Sign the released public ECR image
notation sign ${{ env.PUBLIC_REPOSITORY }}:v${{ env.VERSION }} \
--plugin com.amazonaws.signer.notation.plugin \
--id ${{ steps.ecr-signing-profile.outputs.profile_arn }}
echo "Successfully signed public ECR image"
echo "Image: ${{ env.PUBLIC_REPOSITORY }}:v${{ env.VERSION }}"
echo "Profile ARN: ${{ steps.ecr-signing-profile.outputs.profile_arn }}"
Loading