Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changeset/rane-4683-manifest-cosign-hardening.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
"build-push-docker-manifest": minor
"reusable-docker-build-publish": patch
---

Harden manifest create and cosign sign for idempotent build-publish reruns (RANE-4683): skip imagetools create when the tag already points at the expected platform digests, skip cosign sign when a valid signature is already present, retry manifest tag propagation after create to absorb ECR lag, and move the cosign verify gate (with 5×10s retry for Sigstore propagation) to reusable-docker-build-publish
39 changes: 39 additions & 0 deletions .github/workflows/reusable-docker-build-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -562,7 +562,7 @@
environment:
name: ${{ inputs.environment }}
# http://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/control-deployments#using-environments-without-deployments
deployment: false

Check failure on line 565 in .github/workflows/reusable-docker-build-publish.yml

View workflow job for this annotation

GitHub Actions / ci-lint-misc

[actionlint] reported by reviewdog 🐶 unexpected key "deployment" for "environment" section. expected one of "name", "url" [syntax-check] Raw Output: e:.github/workflows/reusable-docker-build-publish.yml:565:7: unexpected key "deployment" for "environment" section. expected one of "name", "url" [syntax-check]
runs-on: ${{ matrix.runner }}
timeout-minutes: ${{ inputs.timeout }}
strategy:
Expand Down Expand Up @@ -728,7 +728,7 @@
environment:
name: ${{ inputs.environment }}
# http://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/control-deployments#using-environments-without-deployments
deployment: false

Check failure on line 731 in .github/workflows/reusable-docker-build-publish.yml

View workflow job for this annotation

GitHub Actions / ci-lint-misc

[actionlint] reported by reviewdog 🐶 unexpected key "deployment" for "environment" section. expected one of "name", "url" [syntax-check] Raw Output: e:.github/workflows/reusable-docker-build-publish.yml:731:7: unexpected key "deployment" for "environment" section. expected one of "name", "url" [syntax-check]
runs-on: ubuntu-24.04
timeout-minutes: 5
outputs:
Expand Down Expand Up @@ -854,6 +854,45 @@
aws-role-arn: ${{ secrets.AWS_ROLE_PUBLISH_ARN }}
aws-region: ${{ inputs.aws-region-ecr }}

- name: Verify Docker manifest signature
if: ${{ inputs.docker-manifest-sign == 'true' }}
shell: bash
env:
MANIFEST_NAME_WITH_DIGEST: ${{ steps.docker-manifest.outputs.manifest-name-with-digest }}
GITHUB_WORKFLOW_REPOSITORY: ${{ inputs.github-workflow-repository }}
OIDC_ISSUER: https://token.actions.githubusercontent.com
OIDC_IDENTITY_REGEXP: "^https://github.com/smartcontractkit/.*$"
run: |
set -euo pipefail

MAX_RETRIES=5
RETRY_DELAY=10
VERIFY_OK=false

for i in $(seq 1 $MAX_RETRIES); do
echo "Attempt ${i}/${MAX_RETRIES}: Verifying cosign signature for ${MANIFEST_NAME_WITH_DIGEST}..."

if cosign verify "${MANIFEST_NAME_WITH_DIGEST}" \
--certificate-oidc-issuer "${OIDC_ISSUER}" \
--certificate-identity-regexp "${OIDC_IDENTITY_REGEXP}" \
--certificate-github-workflow-repository "${GITHUB_WORKFLOW_REPOSITORY}"; then
echo "Successfully verified signature on attempt ${i}"
VERIFY_OK=true
break
fi

echo "Attempt ${i}/${MAX_RETRIES}: Signature not yet available..."
if [[ "${i}" -lt "${MAX_RETRIES}" ]]; then
echo "Retrying in ${RETRY_DELAY}s..."
sleep "${RETRY_DELAY}"
fi
done

if [[ "$VERIFY_OK" != "true" ]]; then
echo "::error::Failed to verify cosign signature for ${MANIFEST_NAME_WITH_DIGEST} after ${MAX_RETRIES} attempts"
exit 1
fi

# Attest only the manifest index. Build-provenance attestations do not
# transfer from the per-arch images to the index, so the index is
# attested explicitly here. Requires the calling job to grant
Expand Down
Loading
Loading