diff --git a/.github/workflows/automate-projects.yml b/.github/workflows/automate-projects.yml deleted file mode 100644 index ec1a05d..0000000 --- a/.github/workflows/automate-projects.yml +++ /dev/null @@ -1,28 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -name: Add issues and pull request to project boards - -on: [ issues, pull_request, pull_request_target ] - -jobs: - github-actions-automate-projects: - runs-on: ubuntu-latest - - if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }} - steps: - - name: add-new-issues-to-organization-based-project-column - if: github.event_name == 'issues' && github.event.action == 'opened' - uses: alex-page/github-project-automation-plus@v0.9.0 - with: - project: CoMPAS Issues Overview Board - column: To do - repo-token: ${{ secrets.ORG_GITHUB_ACTION_SECRET }} - - name: add-new-pull-request-to-organization-based-project-column - if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action == 'opened' - uses: alex-page/github-project-automation-plus@v0.9.0 - with: - project: CoMPAS Pull Request Overview Board - column: To do - repo-token: ${{ secrets.ORG_GITHUB_ACTION_SECRET }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index f57ccd8..0ab3daf 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -8,6 +8,7 @@ on: permissions: contents: write + id-token: write pull-requests: write name: release-please @@ -61,6 +62,10 @@ jobs: with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} + + - name: Install Cosign + if: ${{ steps.release.outputs.release_created }} + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Create custom Maven Settings.xml if: ${{ steps.release.outputs.release_created }} @@ -78,3 +83,9 @@ jobs: run: ./mvnw -B -s custom_maven_settings.xml -Pnative-image,release clean deploy env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Sign Docker image with Cosign + if: ${{ steps.release.outputs.release_created }} + run: | + DIGEST=$(docker buildx imagetools inspect lfenergy/compas-sitipe-service:${{ steps.release.outputs.version }} --format '{{.Manifest.Digest}}') + cosign sign --yes lfenergy/compas-sitipe-service@"${DIGEST}" \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index be71b80..c7de219 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,6 +5,21 @@ SPDX-License-Identifier: Apache-2.0 --> # Security Policy +## Verifying Docker images + +Docker images published by this project are signed using [Cosign](https://github.com/sigstore/cosign) keyless signing via [Sigstore](https://www.sigstore.dev/). Signatures are recorded in the public [Rekor](https://rekor.sigstore.dev/) transparency log — no private key is stored or required. + +To verify an image, install Cosign ([instructions](https://docs.sigstore.dev/cosign/system_config/installation/)) and run: + +```sh +cosign verify \ + --certificate-identity "https://github.com/com-pas/compas-sitipe-service/.github/workflows/release-please.yml@refs/heads/main" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + lfenergy/compas-sitipe-service: +``` + +Replace `` with the specific release tag (e.g. `v0.3.1`) or `latest`. + ## Reporting a Vulnerability Please go to [Security Advisories](https://github.com/com-pas/compas-sitipe-service/security/advisories) to privately report a security vulnerability,