ci: Sign release and containers with Cosign and GitHub OIDC

- Replace the Cosign static key with GitHub Actions OIDC when signing the flagger container image
- Sign the GitHub release assets checksums with Cosign keyless
- Sign the load-tester container image with Cosign keyless

Signed-off-by: Stefan Prodan <[email protected]>

Author: stefanprodan

.cosign/README.md

@@ -12,20 +12,22 @@ jobs:
   release-load-tester:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       packages: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - uses: sigstore/cosign-installer@main
       - name: Prepare
         id: prep
         run: |
           VERSION=$(grep 'VERSION' cmd/loadtester/main.go | head -1 | awk '{ print $4 }' | tr -d '"')
           echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
           echo ::set-output name=VERSION::${VERSION}
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
@@ -52,6 +54,8 @@ jobs:
             REVISION=${{ github.sha }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Check images
+      - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: 1
         run: |
-          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}

.cosign/cosign.key

@@ -18,7 +18,7 @@ jobs:
       id-token: write # needed for keyless signing
       packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: sigstore/cosign-installer@main
       - name: Prepare
         id: prep
@@ -29,12 +29,12 @@ jobs:
           echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
           echo ::set-output name=VERSION::${VERSION}
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: fluxcdbot
@@ -60,17 +60,10 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
       - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: 1
         run: |
-          echo -n "${{secrets.COSIGN_PASSWORD}}" | \
-          cosign sign -key ./.cosign/cosign.key -a git_sha=$GITHUB_SHA \
-          ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
-      - name: Check images
-        run: |
-          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
-      - name: Verifiy image signature
-        run: |
-          cosign verify -key ./.cosign/cosign.pub \
-          ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
       - name: Publish Helm charts
         uses: stefanprodan/[email protected]
         with:

.cosign/cosign.pub

@@ -15,3 +15,16 @@ sboms:
     artifacts: source
     documents:
       - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true