akashsinghal commented 4 days ago

Description

What this PR does / why we need it:

This PR adds release image signing using Notation and Cosign for all release images: ghcr.io/ratify-project/ratify, ghcr.io/ratify-project/ratify-crds, ghcr.io/ratify-project/ratify-base. The next minor version release v1.4.0 will utilize the new signing workflow.

Doc update PR: https://github.com/ratify-project/ratify-web/pull/129/files

Sample workflow showing release flow successful: https://github.com/akashsinghal/ratify/actions/runs/11963756788/job/33354797232

Cosign signature attached:

Notary Project signature attached:

Which issue(s) this PR fixes (optional, using `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when the PR gets merged):

Fixes #1437

Type of change

Please delete options that are not relevant.

[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
[ ] This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

[ ] Test A
[ ] Test B

Checklist:

[ ] Does the affected code have corresponding tests?
[ ] Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
[ ] Does this introduce breaking changes that would require an announcement or bumping the major version?
[ ] Do all new files have appropriate license header?

Post Merge Requirements

[ ] MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

codecov[bot] commented 4 days ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

see 3 files with indirect coverage changes

akashsinghal commented 10 hours ago

interesting that cosign signs with the command vs notation we use the action. Curious if both are available, is it better to use the command or the action?

yeah good point. It seems that cosign github action is only for installation. recommended way is to use cosign cli directly once installed on runner.

ratify-project / ratify

build: add image signing for all release images #1947

Description

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when the PR gets merged):

Type of change

How Has This Been Tested?

Checklist:

Post Merge Requirements

Codecov Report

ratify-project / ratify

build: add image signing for all release images #1947

Description

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Type of change

How Has This Been Tested?

Checklist:

Post Merge Requirements

Codecov Report

Which issue(s) this PR fixes (optional, using `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when the PR gets merged):