lukaszraczylo/graphql-monitoring-proxy
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/graphql-monitoring-proxy.git synced 2026-06-05 23:03:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add signing of the builds

Browse Source
This commit is contained in:
Lukasz Raczylo
2025-12-15 00:42:45 +00:00
parent 623cbbcae3
commit c0f5f0830d
3 changed files with 10 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release.yaml
+1
View File
@@ -12,6 +12,7 @@ on:
- main - main
permissions: permissions:
id-token: write
contents: write contents: write
packages: write packages: write
deployments: write deployments: write
.goreleaser.yaml
+2 -13
View File
@@ -68,17 +68,10 @@ dockers_v2:
signs: signs:
- cmd: cosign - cmd: cosign
env: signature: "${artifact}.sigstore.json"
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
certificate: "${artifact}.pem"
args: args:
- sign-blob - sign-blob
- "--key" - "--bundle=${signature}"
- "env://COSIGN_KEY"
- "--output-signature"
- "${signature}"
- "--output-certificate"
- "${certificate}"
- "${artifact}" - "${artifact}"
- "--yes" - "--yes"
artifacts: checksum artifacts: checksum
@@ -86,13 +79,9 @@ signs:
docker_signs: docker_signs:
- cmd: cosign - cmd: cosign
env:
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
artifacts: manifests artifacts: manifests
output: true output: true
args: args:
- sign - sign
- "--key"
- "env://COSIGN_KEY"
- "${artifact}@${digest}" - "${artifact}@${digest}"
- "--yes" - "--yes"
README.md
+7 -5
View File
@@ -59,18 +59,20 @@ You can find the example of the Kubernetes manifest in the [example standalone d
#### Verifying Release Signatures #### Verifying Release Signatures
All release checksums and Docker images are signed with [cosign](https://github.com/sigstore/cosign). To verify: All release checksums and Docker images are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
```bash ```bash
# Verify checksum signature # Verify checksum signature
cosign verify-blob \ cosign verify-blob \
--key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \ --certificate-identity-regexp "https://github.com/lukaszraczylo/graphql-monitoring-proxy/.*" \
--signature graphql-proxy-checksums.txt.sig \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
graphql-proxy-checksums.txt --bundle "<checksums-file>.sigstore.json" \
<checksums-file>
# Verify Docker image # Verify Docker image
cosign verify \ cosign verify \
--key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \ --certificate-identity-regexp "https://github.com/lukaszraczylo/graphql-monitoring-proxy/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest
``` ```