fix(ci): setup cosign correctly and sign images using github oidc token

adfinis · Mar 25, 2024 · c727372 · c727372
1 parent 02ecf09
commit c727372
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 30 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -12,6 +12,19 @@ on:
 
 jobs:
   semrel:
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: none
+      statuses: none
+      id-token: write # needed for signing the images with GitHub OIDC using cosign
+
     name: Semantic Release
     runs-on: ubuntu-latest
     steps:
@@ -71,45 +84,28 @@ jobs:
         uses: aquasecurity/[email protected]
         with:
           image-ref: ghcr.io/${{ github.repository }}/api
-          format: "json"
-          output: "api.json"
-
-      - name: Run Trivy vulnerability scanner on ember
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: ghcr.io/${{ github.repository }}/ember
-          format: "json"
-          output: "ember.json"
-
-      - name: Sign the image with GitHub OIDC Token using cosign
-        run: cosign sign --yes ${{ github.repository }}/${{ inputs.image-ref }}@latest
-        if: ${{ inputs.sign }}
-
-      - name: Convert api trivy results to CycloneDX
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: api.json
-          scan-type: "convert"
           format: "cyclonedx"
-          # skip --vuln-type arg
-          vuln-type: ""
           output: "api.cdx"
 
-      - name: Convert ember trivy results to CycloneDX
+      - name: Run Trivy vulnerability scanner on ember
         uses: aquasecurity/[email protected]
         with:
-          image-ref: ember.json
-          scan-type: "convert"
+          image-ref: ghcr.io/${{ github.repository }}/ember
           format: "cyclonedx"
-          # skip --vuln-type arg
-          vuln-type: ""
           output: "ember.cdx"
 
-      - name: Attach an SBOM attestation to the signed api image
-        run: cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
+      - name: Install Cosign
+        uses: sigstore/cosign[email protected]
 
-      - name: Attach an SBOM attestation to the signed ember image
-        run: cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
+      - name: Sign the images with GitHub OIDC Token using cosign
+        run: |
+          cosign sign --yes ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
+          cosign sign --yes ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
+
+      - name: Attach an SBOM attestation to the signed images
+        run: |
+          cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
+          cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
 
       - name: Set up Helm
         if: steps.semrel.outputs.version != ''

diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -18,6 +18,7 @@ jobs:
     name: Scan ${{ inputs.image-ref }}
     steps:
       - name: Install Cosign
+        if: ${{ inputs.attest }}
         uses: sigstore/[email protected]
 
       - name: Login to GitHub Container Registry