build(ghcr_deploy.yaml): test adding cosign to ghcr image signing

2025-04-24 18:24:20 +00:00 · 2025-03-31 15:12:10 -07:00 · 2025-03-31 15:12:10 -07:00 · 4356ffc8cb
commit 4356ffc8cb
parent 17ad8a0417
1 changed files with 19 additions and 8 deletions
--- a/.github/workflows/ghcr_deploy.yml
+++ b/.github/workflows/ghcr_deploy.yml
@ -76,37 +76,40 @@ jobs:
      
  build-and-push-image:
    runs-on: ubuntu-latest
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
    permissions:
      contents: read
      packages: write
+      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.commit_hash }}
-      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.1.1
+
      - name: Log in to the Container registry
        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-      # Configure multi platform Docker builds
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@e0e4588fad221d38ee467c0bffd91115366dc0c5
+      
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@edfb0fe6204400c56fbfd3feba3fe9ad1adfa345
-      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
-      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
-      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+
      - name: Build and push Docker image
+        id: build-push
        uses: docker/build-push-action@4976231911ebf5f32aad765192d35f942aa48cb8
        with:
          context: .
@ -118,7 +121,15 @@ jobs:
            ${{ github.event.inputs.release_type == 'stable' && format('{0}/berriai/litellm:main-stable', env.REGISTRY) || '' }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: local,linux/amd64,linux/arm64,linux/arm64/v8
-          
+
+      - name: Sign the image
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          for tag in $(echo "${{ steps.build-push.outputs.metadata }}" | jq -r '.tags[]'); do
+            cosign sign --yes "${tag}@${{ steps.build-push.outputs.digest }}"
+          done
+
  build-and-push-image-database:
    runs-on: ubuntu-latest
    permissions: