feat: Enable keyless signing of the images

This allow us to not rely on our internal infrastructure. Workflows have been slightly adjusted to be consistent and avoid some footguns. Part of request #41087
Enalean · Dec 5, 2024 · 64f8b55 · 64f8b55
1 parent 2d6c01e
commit 64f8b55
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 14 deletions.
diff --git a/.github/workflows/Build_And_Publish_Docker_Images.yml b/.github/workflows/Build_And_Publish_Docker_Images.yml
@@ -6,9 +6,7 @@ on:
       - main
   workflow_dispatch:
 
-permissions:
-  contents: read
-  packages: write
+permissions: {}
 
 env:
   IMAGE_NAME: tuleap-test-phpunit
@@ -19,22 +17,25 @@ jobs:
       matrix:
         os_base: ["el9"]
         php_base: ["php82", "php83"]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          persist-credentials: false
       - name: Get lowercase base image name
         run: echo BASE_IMAGE_NAME="$(echo ${{ github.repository_owner }} | tr '[A-Z]' '[a-z]')" >> $GITHUB_ENV
       - name: Build image
         run: docker build -t ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${{ matrix.os_base }}-${{ matrix.php_base }} --build-arg="PHP_BASE=${{ matrix.php_base }}" -f ${{ matrix.os_base }}.dockerfile --label revision=${{ github.sha }} --label workflow_run_id=${{ github.run_id }} .
       - name: Log into ghcr.io
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
       - name: Install Cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # tag=v3.7.0
       - name: Publish image
         run: docker push ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${{ matrix.os_base }}-${{ matrix.php_base }}
       - name: Sign Docker Image
-        env:
-          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
         run: |
-          export VAULT_TOKEN=$(curl "$VAULT_ADDR"/v1/auth/approle/login --silent --fail -X POST --data '{"role_id": "${{ secrets.VAULT_ROLE_ID_SIGNING }}", "secret_id": "${{ secrets.VAULT_SECRET_ID_SIGNING }}"}' | jq -r '.auth.client_token')
-          cosign sign --yes --tlog-upload=true --key hashivault://tuleap-additional-tools-signing "$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${{ matrix.os_base }}-${{ matrix.php_base }})"
+          cosign sign --yes "$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.BASE_IMAGE_NAME }}/${{ env.IMAGE_NAME }}:${{ matrix.os_base }}-${{ matrix.php_base }})"
diff --git a/.github/workflows/Build_Docker_Image_PR.yml b/.github/workflows/Build_Docker_Image_PR.yml
@@ -3,17 +3,20 @@ name: Build Docker image
 on:
   pull_request:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:
     strategy:
       matrix:
         os_base: ["el9"]
         php_base: ["php82", "php83"]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          persist-credentials: false
       - name: Build image
         run: docker build -t test-build-${{ matrix.os_base }}-${{ matrix.php_base }} -f ${{ matrix.os_base }}.dockerfile --build-arg="PHP_BASE=${{ matrix.php_base }}" .