Add example of push and sign OCI artifacts

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2026-02-06 10:55:56 +00:00 · 2023-01-31 13:38:30 +02:00
parent 56807fddf6
commit 6681cd05a9
2 changed files with 40 additions and 31 deletions
--- a/action/README.md
+++ b/action/README.md
@@ -134,18 +134,25 @@ jobs:
          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
 ```

-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
+### Push and sign Kubernetes manifests to container registries
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
+which are signed with Cosign and GitHub OIDC:

 ```yaml
-name: push-artifact-production
+name: push-sign-artifact

 on:
  push:
-    tags:
-      - '*'
+    branches:
+      - 'main'
+
+permissions:
+  packages: write # needed for ghcr.io access
+  id-token: write # needed for keyless signing

 env:
-  OCI_REPO: "oci://docker.io/my-org/app-config"
+  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"

 jobs:
  kubernetes:
@@ -155,23 +162,24 @@ jobs:
        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
-      - name: Login to Docker Hub
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Generate manifests
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push and sign manifests
        run: |
-          kustomize build ./manifests/production > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
-      - name: Deploy manifests to production
-        run: |
-          flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
+          digest_url=$(flux push artifact \
+          $OCI_REPO:$(git rev-parse --short HEAD) \
+          --path="./manifests" \
+          --source="$(git config --get remote.origin.url)" \
+          --revision="$(git branch --show-current)/$(git rev-parse HEAD)" |\
+          jq -r '. | .repository + "@" + .digest')
+
+          cosign sign $digest_url
 ```

 ### End-to-end testing