feat(docker): sign built images with cosign

neilime · neilime · commit 404a87ebf64a · 2025-07-08T21:00:01.000+02:00
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/__test-workflow-docker-build-images.yml b/.github/workflows/__test-workflow-docker-build-images.yml
@@ -16,6 +16,7 @@ permissions:
 # jscpd:ignore-start
 jobs:
   arrange:
+    name: Arrange
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -24,7 +25,8 @@ jobs:
             exit 1
           fi
 
-  act-build-arch:
+  act-build-images:
+    name: Act - Build multi-arch and mono-arch images
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -55,17 +57,18 @@ jobs:
           }
         ]
 
-  assert-build-arch:
-    needs: act-build-arch
+  assert-build-arch-mono-arch:
+    name: Assert - multi-arch and mono-arch builds
+    needs: act-build-images
     runs-on: "ubuntu-latest"
     steps:
-      - name: Check built images ouput
+      - name: Assert - built images output
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const builtImagesOutput = `${{ needs.act-build-arch.outputs.built-images }}`;
+            const builtImagesOutput = `${{ needs.act-build-images.outputs.built-images }}`;
             assert(builtImagesOutput.length, `"built-images" output is empty`);
 
             // Check if is valid Json
@@ -132,13 +135,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ github.token }}
 
-      - name: Check multi-arch docker image and manifest
+      - name: Assert - multi-arch docker image and manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-multi-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -194,13 +197,23 @@ jobs:
               assert.equal(annotations[key], value, `Expected annotation not found: ${key}`);
             });
 
+      - name: Assert signed multi-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const assert = require("assert");
+
+            for(const image of ${{ fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images }}) {
+              await exec.exec('cosign', ['verify', image]);
+            }
+
       - name: Check mono-arch docker image
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-mono-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -239,7 +252,18 @@ jobs:
               );
             });
 
+      - name: Assert signed mono-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const assert = require("assert");
+
+            for(const image of ${{ fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images }}) {
+              await exec.exec('cosign', ['verify', image]);
+            }
+
   act-build-args-secrets-and-registry-caching:
+    name: Act - Build with args, secrets and registry caching
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -275,6 +299,7 @@ jobs:
         SECRET_ENV_GITHUB_APP_TOKEN_2
 
   assert-build-args-secrets-and-registry-caching:
+    name: Assert - Build with args, secrets and registry caching
     needs: act-build-args-secrets-and-registry-caching
     runs-on: "ubuntu-latest"
     steps:
diff --git a/.github/workflows/docker-build-images.md b/.github/workflows/docker-build-images.md
@@ -19,7 +19,7 @@ Needs the following permissions:
 - `issues`: `read`
 - `packages`: `write`
 - `pull-requests`: `read`
-- `id-token`: `write` <!-- FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 -->
+- `id-token`: `write`
 
 <!-- end description -->
 <!-- start contents -->
@@ -39,7 +39,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
@@ -137,7 +137,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -500,3 +499,9 @@ jobs:
           oci-registry-username: ${{ inputs.oci-registry-username }}
           oci-registry-password: ${{ secrets.oci-registry-password }}
           built-images: ${{ steps.built-images.outputs.built-images }}
+
+      - id: sign-images
+        uses: ./self-workflow/actions/docker/sign-images
+        with:
+          built-images: ${{ steps.built-images.outputs.built-images }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/actions/docker/sign-images/README.md b/actions/docker/sign-images/README.md
@@ -0,0 +1,34 @@
+<!-- start title -->
+<!-- end title -->
+<!--
+// jscpd:ignore-start
+-->
+<!-- markdownlint-disable MD013 -->
+<!-- start badges -->
+<!-- end badges -->
+<!-- markdownlint-enable MD013 -->
+<!--
+// jscpd:ignore-end
+-->
+<!-- start description -->
+<!-- end description -->
+<!-- start contents -->
+<!-- end contents -->
+
+If default GitHub token is used, the following permissions are required:
+
+```yml
+permissions:
+  id-token: write
+```
+
+<!-- start usage -->
+<!-- end usage -->
+<!-- start inputs -->
+<!-- end inputs -->
+<!-- markdownlint-disable MD013 -->
+<!-- start outputs -->
+<!-- end outputs -->
+<!-- markdownlint-enable MD013 -->
+<!-- start [.github/ghadocs/examples/] -->
+<!-- end [.github/ghadocs/examples/] -->
diff --git a/actions/docker/sign-images/action.yml b/actions/docker/sign-images/action.yml
@@ -0,0 +1,90 @@
+---
+name: "Sign image"
+description: |
+  Action to sign an OCI image.
+  It is based on [cosign](https://github.com/sigstore/cosign).
+  It signs the image wioth the GitHub Actions OIDC token.
+
+author: hoverkraft
+branding:
+  icon: award
+  color: blue
+
+inputs:
+  built-images:
+    description: |
+      Built images data. 
+      Example:
+      
+      ```json
+      {
+        "application": {
+          "name": "application",
+          "registry": "ghcr.io",
+          "repository": "my-org/my-repo/application",
+          "tags": ["pr-63-5222075","pr-63"],
+          "images": [
+            "ghcr.io/my-org/my-repo/application:pr-63-5222075",
+            "ghcr.io/my-org/my-repo/application:pr-63"
+          ],
+          "digests": [
+            "ghcr.io/my-org/my-repo/application@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
+            "ghcr.io/my-org/my-repo/application@sha256:0f5aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f402"
+          ],
+          "annotations": {
+            "org.opencontainers.image.created": "2021-09-30T14:00:00Z",
+            "org.opencontainers.image.description": "Application image"
+          }
+        }
+      }
+      ```
+    required: true
+  github-token:
+    description: |
+      GitHub Token to sign the image.
+      Permissions:
+        - id-token: write
+    default: ${{ github.token }}
+
+runs:
+  using: "composite"
+  steps:
+    - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+
+    - name: Sign the images with GitHub OIDC Token 
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const builtImagesInput = `${{ inputs.built-images }}`;
+          let builtImages = null;
+          try {
+            builtImages = JSON.parse(builtImagesInput);
+          } catch (error) {
+            throw new Error(`"built-images" input is not a valid JSON: ${error}`);
+          }
+
+          // Create manifest for each image
+          const commands = Object.keys(builtImages).map(imageName => {
+            const builtImage = builtImages[imageName];
+
+            const imageTags = builtImage.images.join(" ");
+
+            const digests = builtImage.digests.join(" ");
+
+            signImageCommand = `cosign sign --recursive --yes ${imageTags}`;
+
+            return new Promise(async (resolve, reject)  => {
+              try {
+                await exec.exec(signImageCommand);
+                core.debug(`Sign image tags "${builtImage.name}" ("${signImageCommand}") executed`);
+                resolve();
+              } catch(error){
+                reject(error);
+              }
+            });
+          });
+
+          await Promise.all(commands);
+
+          core.debug("All images signed successfully");
