feat(docker): sign built images with cosign

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>

Author: neilime

.github/workflows/__main-ci.yml

@@ -20,7 +20,6 @@ permissions:
   pull-requests: write
   security-events: write
   statuses: write
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 concurrency:

.github/workflows/__pull-request-ci.yml

@@ -14,7 +14,6 @@ permissions:
   pull-requests: write
   security-events: write
   statuses: write
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 concurrency:

.github/workflows/__shared-ci.yml

@@ -12,8 +12,6 @@ permissions:
   pull-requests: read
   security-events: write
   statuses: write
-  # yamllint disable-line rule:line-length
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -42,10 +40,6 @@ jobs:
     needs: linter
     uses: ./.github/workflows/__test-action-get-image-name.yml
 
-  test-action-helm-generate-docs:
-    needs: linter
-    uses: ./.github/workflows/__test-action-helm-generate-docs.yml
-
   test-action-helm-parse-chart-uri:
     needs: linter
     uses: ./.github/workflows/__test-action-helm-parse-chart-uri.yml

.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml

@@ -10,7 +10,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 env:

.github/workflows/__test-action-helm-generate-docs.yml

@@ -10,7 +10,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:

.github/workflows/__test-action-helm-test-chart.yml

@@ -10,12 +10,12 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 # jscpd:ignore-start
 jobs:
   arrange:
+    name: Arrange
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -24,7 +24,8 @@ jobs:
             exit 1
           fi
 
-  act-build-arch:
+  act-build-images:
+    name: Act - Build multi-arch and mono-arch images
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -55,17 +56,18 @@ jobs:
           }
         ]
 
-  assert-build-arch:
-    needs: act-build-arch
+  assert-build-arch-mono-arch:
+    name: Assert - multi-arch and mono-arch builds
+    needs: act-build-images
     runs-on: "ubuntu-latest"
     steps:
-      - name: Check built images ouput
+      - name: Assert - built images output
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const builtImagesOutput = `${{ needs.act-build-arch.outputs.built-images }}`;
+            const builtImagesOutput = `${{ needs.act-build-images.outputs.built-images }}`;
             assert(builtImagesOutput.length, `"built-images" output is empty`);
 
             // Check if is valid Json
@@ -132,13 +134,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ github.token }}
 
-      - name: Check multi-arch docker image and manifest
+      - name: Assert - multi-arch docker image and manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-multi-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -194,13 +196,23 @@ jobs:
               assert.equal(annotations[key], value, `Expected annotation not found: ${key}`);
             });
 
+      - name: Assert signed multi-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const assert = require("assert");
+
+            for(const image of ${{ fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images }}) {
+              await exec.exec('cosign', ['verify', image]);
+            }
+
       - name: Check mono-arch docker image
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-mono-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -239,7 +251,18 @@ jobs:
               );
             });
 
+      - name: Assert signed mono-arch docker image
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const assert = require("assert");
+
+            for(const image of ${{ fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images }}) {
+              await exec.exec('cosign', ['verify', image]);
+            }
+
   act-build-args-secrets-and-registry-caching:
+    name: Act - Build with args, secrets and registry caching
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
@@ -275,6 +298,7 @@ jobs:
         SECRET_ENV_GITHUB_APP_TOKEN_2
 
   assert-build-args-secrets-and-registry-caching:
+    name: Assert - Build with args, secrets and registry caching
     needs: act-build-args-secrets-and-registry-caching
     runs-on: "ubuntu-latest"
     steps:

.github/workflows/__test-workflow-docker-build-images.yml

@@ -19,7 +19,7 @@ Needs the following permissions:
 - `issues`: `read`
 - `packages`: `write`
 - `pull-requests`: `read`
-- `id-token`: `write` <!-- FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 -->
+- `id-token`: `write`
 
 <!-- end description -->
 <!-- start contents -->
@@ -39,7 +39,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:

.github/workflows/docker-build-images.md

@@ -137,7 +137,6 @@ permissions:
   issues: read
   packages: write
   pull-requests: read
-  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
   id-token: write
 
 jobs:
@@ -500,3 +499,9 @@ jobs:
           oci-registry-username: ${{ inputs.oci-registry-username }}
           oci-registry-password: ${{ secrets.oci-registry-password }}
           built-images: ${{ steps.built-images.outputs.built-images }}
+
+      - id: sign-images
+        uses: ./self-workflow/actions/docker/sign-images
+        with:
+          built-images: ${{ steps.built-images.outputs.built-images }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker-build-images.yml

@@ -0,0 +1,34 @@
+<!-- start title -->
+<!-- end title -->
+<!--
+// jscpd:ignore-start
+-->
+<!-- markdownlint-disable MD013 -->
+<!-- start badges -->
+<!-- end badges -->
+<!-- markdownlint-enable MD013 -->
+<!--
+// jscpd:ignore-end
+-->
+<!-- start description -->
+<!-- end description -->
+<!-- start contents -->
+<!-- end contents -->
+
+If default GitHub token is used, the following permissions are required:
+
+```yml
+permissions:
+  id-token: write
+```
+
+<!-- start usage -->
+<!-- end usage -->
+<!-- start inputs -->
+<!-- end inputs -->
+<!-- markdownlint-disable MD013 -->
+<!-- start outputs -->
+<!-- end outputs -->
+<!-- markdownlint-enable MD013 -->
+<!-- start [.github/ghadocs/examples/] -->
+<!-- end [.github/ghadocs/examples/] -->