Skip to content

ci: embed self-contained cosign image signer (RFC-044.4 WS3a)#25

Merged
devkoriel merged 1 commit into
mainfrom
ci/embed-image-signer
Jun 17, 2026
Merged

ci: embed self-contained cosign image signer (RFC-044.4 WS3a)#25
devkoriel merged 1 commit into
mainfrom
ci/embed-image-signer

Conversation

@devkoriel

Copy link
Copy Markdown
Contributor

What

Adds a self-contained keyless cosign signer at .github/workflows/sign-image.yaml
and removes the dead resign-release-identity.yaml.

Why

This repo is public. GitHub blocks public repositories from calling reusable
workflows in private repositories (actions-workflows is private), so the shared
cosign-sign-and-verify.yaml reusable is unreachable here. resign-release-identity.yaml
called that reusable and could never run (HTTP 422, "workflow was not found"). The
signer therefore has to live in-repo.

sign-image.yaml supports both:

  • workflow_call (digest + tags) so the release build can sign what it just pushed.
  • workflow_dispatch (refs) for the RFC-044.4 WS3a re-sign of the existing
    challenger-go digest under a release identity.

Keyless OIDC, no keys. Signs by digest with --recursive (OCI index + per-arch
children) and self-verifies against this repo's own sign-image.yaml SAN. Actions
are SHA-pinned (docker/login-action, sigstore/cosign-installer), same pins as
the audited shared reusable.

The cosign SAN this produces
(.../chronicleprotocol/challenger/.github/workflows/sign-image.yaml@refs/heads/main)
will be added to the Kyverno verify-chronicle-release-images attestor so these
images verify under the narrowed release identity.

Note (separate, not fixed here)

docker.yml calls the private docker-build-and-publish.yaml reusable and hits the
same public->private wall, so the build path is broken on this public repo. That is a
build problem, tracked separately from this signing change.

Test plan

  • Merge to main (puts the workflow on the default branch).
  • workflow_dispatch with refs=ghcr.io/chronicleprotocol/challenger-go@sha256:c8d5a3....
  • Confirm the run signs + self-verifies.
  • cosign verify the digest against the new SAN externally.

@devkoriel devkoriel merged commit 2d1a715 into main Jun 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant