Skip to content

Commit

Permalink
ci: Use cosign plugin to sign container images. (#202)
Browse files Browse the repository at this point in the history 
This commit adds the cosign-buildkite-plugin to the CI pipeline. [1]
cosign is an open-source tool developed by Chainguard that signs
container images, allowing other users to cryptographically verify
the origin of container images.

cosign has different operating modes. This commit utilizes Chainguard's
signing infrastructure via "keyless signing". [2] Keyless signing makes
image signing easy for open-source projects because Chainguard operates
the signing infrastructure on behalf of others.

References

1. https://github.com/equinixmetal-buildkite/cosign-buildkite-plugin
2. https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/#keyless-signing
  • Loading branch information
@stephen-fox
stephen-fox authored Nov 27, 2023
1 parent dccbb95 commit 4d1a3a5
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .buildkite/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ steps:
push: true
build-args:
- NAME=${APP_NAME}
- equinixmetal-buildkite/cosign#main:
image: "${IMAGE_REPO}:${IMAGE_TAG}"
keyless: true
- equinixmetal-buildkite/trivy#v1.18.3:
severity: CRITICAL,HIGH
ignore-unfixed: true
Expand Down

0 comments on commit 4d1a3a5

Please sign in to comment.