feat(docker): sign built images with cosign

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>

Author: neilime

.github/workflows/__main-ci.yml

@@ -20,7 +20,6 @@ permissions:
   pull-requests: write
   security-events: write
   statuses: write
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 concurrency:

.github/workflows/__pull-request-ci.yml

@@ -14,7 +14,6 @@ permissions:
   pull-requests: write
   security-events: write
   statuses: write
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 concurrency:

.github/workflows/__shared-ci.yml

@@ -12,8 +12,6 @@ permissions:
   pull-requests: read
   security-events: write
   statuses: write
-  # yamllint disable-line rule:line-length
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -42,10 +40,6 @@ jobs:
     needs: linter
     uses: ./.github/workflows/__test-action-get-image-name.yml
 
-  test-action-helm-generate-docs:
-    needs: linter
-    uses: ./.github/workflows/__test-action-helm-generate-docs.yml
-
   test-action-helm-parse-chart-uri:
     needs: linter
     uses: ./.github/workflows/__test-action-helm-parse-chart-uri.yml

.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml

@@ -10,7 +10,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 env:

.github/workflows/__test-action-helm-generate-docs.yml

@@ -8,14 +8,12 @@ on: # yamllint disable-line rule:truthy
 permissions:
   contents: read
   packages: write
+  id-token: write
 
 jobs:
   tests:
     name: Test for "helm/release-chart" action with simple chart
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -61,6 +59,7 @@ jobs:
           tag: 0.1.0
           helm-repositories: |
             bitnami https://charts.bitnami.com/bitnami
+          github-token: ${{ github.token }}
 
       # yamllint disable rule:line-length
       - name: Check release chart output

.github/workflows/__test-action-helm-release-chart.yml

@@ -10,7 +10,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:

.github/workflows/__test-action-helm-test-chart.yml

@@ -10,12 +10,12 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 # jscpd:ignore-start
 jobs:
   arrange:
+    name: Arrange
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -24,7 +24,8 @@ jobs:
             exit 1
           fi
 
-  act-build-arch:
+  act-build-images:
+    name: Act - Build multi-arch and mono-arch images
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -55,17 +56,18 @@ jobs:
           }
         ]
 
-  assert-build-arch:
-    needs: act-build-arch
+  assert-build-arch-mono-arch:
+    name: Assert - multi-arch and mono-arch builds
+    needs: act-build-images
     runs-on: "ubuntu-latest"
     steps:
-      - name: Check built images ouput
+      - name: Assert - built images output
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const builtImagesOutput = `${{ needs.act-build-arch.outputs.built-images }}`;
+            const builtImagesOutput = `${{ needs.act-build-images.outputs.built-images }}`;
             assert(builtImagesOutput.length, `"built-images" output is empty`);
 
             // Check if is valid Json
@@ -132,13 +134,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ github.token }}
 
-      - name: Check multi-arch docker image and manifest
+      - name: Assert - multi-arch docker image and manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-multi-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -194,13 +196,25 @@ jobs:
               assert.equal(annotations[key], value, `Expected annotation not found: ${key}`);
             });
 
-      - name: Check mono-arch docker image
+      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+
+      - name: Assert - signed multi-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images) }};
+
+            for(const image of images) {
+              await exec.exec('cosign', ['verify', image]);
+            }
+
+      - name: Assert - mono-arch docker image
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-mono-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -239,7 +253,18 @@ jobs:
               );
             });
 
+      - name: Assert - signed mono-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images) }};
+
+            for(const image of images) {
+              await exec.exec('cosign', ['verify', '--keyless', image]);
+            }
+
   act-build-args-secrets-and-registry-caching:
+    name: Act - Build with args, secrets and registry caching
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -275,6 +300,7 @@ jobs:
         SECRET_ENV_GITHUB_APP_TOKEN_2
 
   assert-build-args-secrets-and-registry-caching:
+    name: Assert - Build with args, secrets and registry caching
     needs: act-build-args-secrets-and-registry-caching
     runs-on: "ubuntu-latest"
     steps:

.github/workflows/__test-workflow-docker-build-images.yml

@@ -19,7 +19,7 @@ Needs the following permissions:
 - `issues`: `read`
 - `packages`: `write`
 - `pull-requests`: `read`
-- `id-token`: `write` <!-- FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 -->
+- `id-token`: `write`
 
 <!-- end description -->
 <!-- start contents -->
@@ -39,7 +39,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:

.github/workflows/docker-build-images.md

@@ -137,7 +137,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -500,3 +499,23 @@ jobs:
           oci-registry-username: ${{ inputs.oci-registry-username }}
           oci-registry-password: ${{ secrets.oci-registry-password }}
           built-images: ${{ steps.built-images.outputs.built-images }}
+
+      - id: get-images-to-sign
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const builtImagesInput = `${{ steps.built-images.outputs.built-images }}`;
+            let builtImages = null;
+            try {
+              builtImages = JSON.parse(builtImagesInput);
+            } catch (error) {
+              throw new Error(`"built-images" input is not a valid JSON: ${error}`);
+            }
+
+            // Get images to sign
+            const imagesToSign = Object.values(builtImages).map(image => image.images).flat();
+            core.setOutput('images-to-sign', JSON.stringify(imagesToSign));
+      - uses: ./self-workflow/actions/docker/sign-images
+        with:
+          images: ${{ steps.get-images-to-sign.outputs.images-to-sign }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}