ci: embed self-contained cosign image signer (RFC-044.4 WS3a)#25
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a self-contained keyless cosign signer at
.github/workflows/sign-image.yamland removes the dead
resign-release-identity.yaml.Why
This repo is public. GitHub blocks public repositories from calling reusable
workflows in private repositories (
actions-workflowsis private), so the sharedcosign-sign-and-verify.yamlreusable is unreachable here.resign-release-identity.yamlcalled that reusable and could never run (HTTP 422, "workflow was not found"). The
signer therefore has to live in-repo.
sign-image.yamlsupports both:workflow_call(digest + tags) so the release build can sign what it just pushed.workflow_dispatch(refs) for the RFC-044.4 WS3a re-sign of the existingchallenger-godigest under a release identity.Keyless OIDC, no keys. Signs by digest with
--recursive(OCI index + per-archchildren) and self-verifies against this repo's own
sign-image.yamlSAN. Actionsare SHA-pinned (
docker/login-action,sigstore/cosign-installer), same pins asthe audited shared reusable.
The cosign SAN this produces
(
.../chronicleprotocol/challenger/.github/workflows/sign-image.yaml@refs/heads/main)will be added to the Kyverno
verify-chronicle-release-imagesattestor so theseimages verify under the narrowed release identity.
Note (separate, not fixed here)
docker.ymlcalls the privatedocker-build-and-publish.yamlreusable and hits thesame public->private wall, so the build path is broken on this public repo. That is a
build problem, tracked separately from this signing change.
Test plan
workflow_dispatchwithrefs=ghcr.io/chronicleprotocol/challenger-go@sha256:c8d5a3....cosign verifythe digest against the new SAN externally.