From 643a39d5562ea5c20fb22f4b12e18a4855280af8 Mon Sep 17 00:00:00 2001 From: OlivierDehaene Date: Thu, 13 Apr 2023 15:26:34 +0200 Subject: [PATCH] feat(ci): add image signing with cosign (#175) --- .github/workflows/build.yaml | 42 ++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 89eaf47e..6e077036 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -27,20 +27,32 @@ concurrency: jobs: build-and-push-image: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: + - name: Checkout repository + uses: actions/checkout@v3 - name: Initialize Docker Buildx uses: docker/setup-buildx-action@v2.0.0 with: install: true + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@v4.4.1 + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + with: + cosign-release: 'v1.13.1' - name: Tailscale uses: tailscale/github-action@v1 with: authkey: ${{ secrets.TAILSCALE_AUTHKEY }} - - name: Checkout repository - uses: actions/checkout@v3 - - name: Inject slug/short variables - uses: rlespinasse/github-slug-action@v4.4.1 - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ghcr.io @@ -53,6 +65,7 @@ jobs: password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }} registry: registry.internal.huggingface.tech - name: Login to Azure Container Registry + if: github.event_name != 'pull_request' uses: docker/login-action@v2.1.0 with: username: ${{ secrets.AZURE_DOCKER_USERNAME }} @@ -74,7 +87,7 @@ jobs: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v4 with: context: . file: Dockerfile @@ -85,23 +98,34 @@ jobs: cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + build-and-push-sagemaker-image: needs: - build-and-push-image runs-on: ubuntu-latest steps: + - name: Checkout repository + uses: actions/checkout@v3 - name: Initialize Docker Buildx uses: docker/setup-buildx-action@v2.0.0 with: install: true + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@v4.4.1 - name: Tailscale uses: tailscale/github-action@v1 with: authkey: ${{ secrets.TAILSCALE_AUTHKEY }} - - name: Checkout repository - uses: actions/checkout@v3 - - name: Inject slug/short variables - uses: rlespinasse/github-slug-action@v4.4.1 - name: Login to internal Container Registry uses: docker/login-action@v2.1.0 with: