chore: implement signed images (#10925)

* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
2026-04-21 17:07:16 +00:00 · 2022-10-14 07:38:08 -07:00 · 2022-10-14 07:38:08 -07:00 · d11ac8954e
commit d11ac8954e
parent 254f3b69ae
3 changed files with 33 additions and 1 deletions
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -66,6 +66,22 @@ jobs:
            -t quay.io/argoproj/argocd:latest .
        working-directory: ./src/github.com/argoproj/argo-cd

+      # sign container images
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.0'
+
+      - name: Sign Argo CD latest image
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
+          # Displays the public key to share.
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ github.event_name == 'push' }}
+
      # deploy
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        if: github.event_name == 'push'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -214,6 +214,22 @@ jobs:
          ./dist/argocd-linux-amd64 version --client
        if: ${{ env.DRY_RUN != 'true' }}

+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.0'
+
+      - name: Sign Argo CD container images
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          cosign sign --key env://COSIGN_PRIVATE_KEY docker.io/argoproj/argocd:v${TARGET_VERSION}
+          # Retrieves the public key to release as an asset
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ env.DRY_RUN != 'true' }}
+
      - name: Read release notes file
        id: release-notes
        uses: juliangruber/read-file-action@v1
--- a/2
+++ b/2
@ -576,7 +576,7 @@ applicationset-controller:

 .PHONY: checksums
 checksums:
-	for f in ./dist/$(BIN_NAME)-*; do openssl dgst -sha256 "$$f" | awk ' { print $$2 }' > "$$f".sha256 ; done
+	sha256sum ./dist/$(BIN_NAME)-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/$(BIN_NAME)-$(TARGET_VERSION)-checksums.txt

 .PHONY: snyk-container-tests
 snyk-container-tests: