Inline image singing job

ni · Nov 12, 2024 · 67c0d1c · 67c0d1c
1 parent 678387c
commit 67c0d1c
Showing 1 changed file with 29 additions and 12 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -48,15 +48,32 @@ jobs:
             niartifacts.jfrog.io/rnd-docker-ci/ni/systemlink/ni-grafana:${{ needs.generate_version_number.outputs.image_version }}
 
   sign_docker_image:
-    name: Sign Docker image
-    uses: ni/workflows/.github/workflows/sign-container.yml@main
-    needs: [generate_version_number, build_docker_image]
-    with:
-      image_tag: niartifacts.jfrog.io/rnd-docker-ci/ni/systemlink/ni-grafana:${{ needs.generate_version_number.outputs.image_version }}
-      signature_store_bucket: s3://signing-web-demo-bucket-1neyh347t53dt
-    secrets:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_VERIFY_DEV  }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_VERIFY_DEV }}
-      GPG_PRIVATE_KEY: ${{ secrets.NI_PGP_RELEASE_SECRING }}
-      REGISTRY_USERNAME: ${{ vars.JFROG_USERNAME }}
-      REGISTRY_PASSWORD: ${{ secrets.JFROG_ACCESS_TOKEN }}
+    runs-on: ubuntu-latest
+    environment: jfrog-ci
+    steps:
+      - name: Log into registry
+        uses: redhat-actions/podman-login@v1
+        with:
+          username: ${{ vars.JFROG_USERNAME }}
+          password: ${{ secrets.JFROG_ACCESS_TOKEN }}
+          registry: niartifacts.jfrog.io
+      - name: Create signature staging directory
+        run: mkdir ${{ runner.temp }}/sigstore
+      - name: Create gnupghome directory
+        run: mkdir ${{ runner.temp }}/gpg && chmod 700 ${{ runner.temp }}/gpg
+      - name: Import private key
+        run: echo "${{ secrets.NI_PGP_RELEASE_SECRING }}" | base64 --decode | gpg --import
+        env:
+          GNUPGHOME: ${{ runner.temp }}/gpg
+      - name: Sign image
+        run: podman image sign --sign-by security@ni.com -d ${{ runner.temp }}/sigstore docker://niartifacts.jfrog.io/rnd-docker-ci/ni/systemlink/ni-grafana:${{ needs.generate_version_number.outputs.image_version }}
+        env:
+          GNUPGHOME: ${{ runner.temp }}/gpg
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_VERIFY_DEV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_VERIFY_DEV }}
+          aws-region: us-east-1
+      - name: Sync signatures to S3
+        run: aws s3 sync ${{ runner.temp }}/sigstore s3://signing-web-demo-bucket-1neyh347t53dt