ci: sign images + return to zuul
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index ce5ddc5..b5c87b8 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -23,6 +23,7 @@
run: zuul.d/playbooks/build-images/run.yml
secrets:
- registry_credentials
+ - cosign_key
- job:
name: atmosphere-molecule
diff --git a/zuul.d/playbooks/build-images/pre.yml b/zuul.d/playbooks/build-images/pre.yml
index ab0c6e1..6b51ca1 100644
--- a/zuul.d/playbooks/build-images/pre.yml
+++ b/zuul.d/playbooks/build-images/pre.yml
@@ -12,7 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
-- name: Prepare host for Keycloak tests
+- name: Prepare host for building images
hosts: all
roles:
- ensure-docker
diff --git a/zuul.d/playbooks/build-images/run.yml b/zuul.d/playbooks/build-images/run.yml
index 854af95..ed89687 100644
--- a/zuul.d/playbooks/build-images/run.yml
+++ b/zuul.d/playbooks/build-images/run.yml
@@ -32,3 +32,48 @@
chdir: "{{ zuul.project.src_dir }}"
environment:
PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"
+
+ - name: Get list of images built
+ ansible.builtin.shell: docker buildx bake --print
+ register: images_built_json
+
+ - name: Set fact with list of images
+ set_fact:
+ images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}"
+
+ - name: Sign images
+ when: zuul.pipeline == 'post'
+ block:
+ - name: Download cosign binary
+ ansible.builtin.get_url:
+ url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
+ dest: /usr/local/bin/cosign
+ mode: 0755
+
+ - name: Copy the cosign private key
+ copy:
+ content: "{{ cosign_key.private }}"
+ dest: cosign.key
+
+ - name: Sign images
+ ansible.builtin.shell: |
+ cosign sign -y --recursive --key cosign.key {{ item }}
+ loop: "{{ images_built }}"
+
+ - name: Delete the cosign private key
+ file:
+ path: cosign.key
+ state: absent
+
+ - name: Return Zuul artifacts for images
+ zuul_return:
+ data:
+ zuul:
+ artifacts:
+ - name: "{{ item }}"
+ url: "docker://{{ item }}"
+ metadata:
+ type: container_image
+ repository: "{{ item.split(':')[0] }}"
+ tag: "{{ item.split(':')[1] }}"
+ loop: "{{ images_built }}"
diff --git a/zuul.d/secrets.yaml b/zuul.d/secrets.yaml
index 232d7d5..9cbc362 100644
--- a/zuul.d/secrets.yaml
+++ b/zuul.d/secrets.yaml
@@ -27,3 +27,33 @@
M7zDXnorUFyv9dUIB2rOZrp7o0OC2thujjDTKXb4qfmfXGOwlkNmtCLo6BaDo9pSdRN8p
k0YnUAItZ64qUR7paEUKGy4rzsZjDYvIj7DrCFvLL2CXcyjPGcmcblpSHe5vJ15CFVH8X
o39FIIhSmehvrYJziGYUgf4JY1B6ktBtFc9l78WeoJRHNce+viSSkBj1fhbUaI=
+
+- secret:
+ name: cosign_key
+ data:
+ public: |
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf5DzGuQLAvNIfiv/b7JULemWZcpU
+ 4uCefCqflA7wpypGLM+1lBo0pjBc/9QJAj+lG61ZNwpDx8Zk1jFGJUUl9A==
+ -----END PUBLIC KEY-----
+ private: !encrypted/pkcs1-oaep
+ - lHcfMc85t12hzas/feMTOr1+pZVMZfQdxTMJouKIvSHpHjSQt6EwyMmWIhc+q03HUBGb5
+ setWiSl1YNZIprZLyqCNCq8NjZlcBWVnw9zkkMdwN2Q6JkAe78mPHRLmVUdNqKuOVHmmr
+ ThCUkQHxbieKW7ZGzAtUSouSWhfjLdx9poUf5wJx2ujotcNcCQ2Bkb7PPzWNBdzBJjRlE
+ 2PXW+Ni99wNZisEcjxan7QhrhFxcS+sou0R9FPds66zO9GgAYYD+4SRwF7dSUM2BXA7AZ
+ 0zeU6w+e2qd09eHUbHVYXeWDhYKx7FlsUetVHWzyVFg4LfnHCFC/tIWTvJnzyJIfbXziP
+ KLSuv3wGlNCRZOPI7xgB0oeky++xzuTfnX2Ra9pNVZ9eAzpBArJRTOCCgltXjfWNS3QiZ
+ LR3cmizPL53BUHX92MBBXPXqaEYfbkUcbcAlYYgnjYUT8rak4NW7R5qZMI0d8IWGAnC7w
+ z0MGuT61LWhaPq63TusWpXPbh1GK6n8RxSAQeV9W69KSrbgirRKET2/HyW/WnDwrvYiCY
+ 866xxq/vtqkfB5ck/YtW6UCE5pVPzqnGBLKd+3/t9tu1j0UY/tuegi+3tLbm18E1hPg/T
+ XDvEm7qkl8QerJFfI3XX8YVUcgc1/tzRHFslNXGsUFkgl6BxS9FIu5hXOIv3hQ=
+ - CwAHQQkYQwM2uc4rDihEw+2jJQ0c/FxsutON5u/D48hRBxeUAzj8fTnAar+Co7jWkNHYV
+ +dI/LvhT7y++gzi4kG41B2L+FJELnh2TI3+hz7XorUALHuei5aYsyIFFzVow2fP0t6nW+
+ mBAYFlbO8stkDg9veIiBxv0RXaISQVNOfzOo428zt0EPJYSqno4FJ9by6plO/jY3A5h8j
+ ElEs/J35vrDbWcWy80htZNKuLo6nBOaDPM1Esfd6uBsMVxxaPzUSa6yaov4pS8WV172CW
+ 98IaCSYY1+GGkpm+69nQmi6Ik9qILhn3yu3XqfnF/8rlrXXzhN2bDevMyPiWh/KXL4mAq
+ UMWyNyXdNNY2g+5s3dCB/qoZVIdiilsDX9tvP7pQvKW4tNqLXm9+8RVbfPxVaWfKpb3JD
+ 02RZtvB0W+jpCk/tC3JNKpW3JVnlOGidYyLMsrMqDoKlohorq/LZ/hM4qDyYCoXr5NzJv
+ Wq1JuqYu3+/gpx/PE+RI17lCKbA0vYI86L1qMkoQMK0rvShurWanz8/q7slDorWcfgHW8
+ UbB4Rqd9xgk8jtHnxHNlafZrfjIJbE5W5PddzH5Q5Aw7l4sPlJ4V2hnF+mhVegCwhc7s7
+ D/tlTTxjnHrQBLw9+vwDhkk/RADQbLExTIXFt6TH0No94zdTiUrTPg90s+rn6A=