Skip to content

Commit bcff222

Browse files
authored
Merge pull request #483 from com-pas/task/implement-signed-release
chore: update release workflow to include image signing
2 parents 0f09072 + 6a6ed7b commit bcff222

2 files changed

Lines changed: 27 additions & 1 deletion

File tree

.github/workflows/release-project.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,19 @@ jobs:
1313
name: Build and publish
1414
runs-on: ubuntu-latest
1515
timeout-minutes: 45
16+
permissions:
17+
contents: read
18+
id-token: write
1619

1720
steps:
1821
- name: Checkout
1922
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
2023
with:
2124
submodules: 'true'
2225

26+
- name: Install Cosign
27+
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 #v4.1.2
28+
2329
- name: Cache Docker Register
2430
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5
2531
with:
@@ -49,6 +55,7 @@ jobs:
4955
npm ci
5056
npm run-script build
5157
- name: Build and push docker image to Docker Hub
58+
id: build-push
5259
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
5360
with:
5461
# Set the context to use the packages/compas-open-scd directory and not execute it's own git checkout.
@@ -58,3 +65,7 @@ jobs:
5865
tags: |
5966
lfenergy/compas-open-scd:${{ steps.extract_tagname.outputs.tagname }}
6067
lfenergy/compas-open-scd:latest
68+
69+
- name: Sign Docker image with Cosign
70+
run: |
71+
cosign sign --yes lfenergy/compas-open-scd@${{ steps.build-push.outputs.digest }}

SECURITY.md

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,20 @@
22

33
## Reporting a Vulnerability
44

5-
Please go to [Security Advisories](https://github.com/com-pas/compas-open-scd/security/advisories) to privately report a security vulnerability,
5+
Please go to [Security Advisories](https://github.com/com-pas/compas-open-scd/security/advisories) to privately report a security vulnerability,
66
our contributors will try to respond within a week of your report with a rough plan for a fix and new tests.
7+
8+
## Verifying Docker images
9+
10+
Docker images published by this project are signed using [Cosign](https://github.com/sigstore/cosign) keyless signing via [Sigstore](https://www.sigstore.dev/). Signatures are recorded in the public [Rekor](https://rekor.sigstore.dev/) transparency log — no private key is stored or required.
11+
12+
To verify an image, install Cosign ([instructions](https://docs.sigstore.dev/cosign/system_config/installation/)) and run:
13+
14+
```sh
15+
cosign verify \
16+
--certificate-identity-regexp "https://github.com/com-pas/compas-open-scd/.github/workflows/release-project.yml@refs/tags/.*" \
17+
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
18+
lfenergy/compas-open-scd:<tag>
19+
```
20+
21+
Replace `<tag>` with the specific release tag (e.g. `v1.2.3`) or `latest`.

0 commit comments

Comments
 (0)