Publish images in GHCR (bitnami-labs#851)

.github/workflows/release.yaml

@@ -10,7 +10,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      image_name: docker.io/bitnami/sealed-secrets-controller
+      dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
+      ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
     steps:
       # Checkout and set env
       - name: Checkout
@@ -33,7 +34,7 @@ jobs:
       - name: K8s manifests
         run: |
           export PATH=~/bin:$PATH
-          make CONTROLLER_IMAGE=${{ env.image_name }}:${{ github.ref_name }} controller.yaml controller-norbac.yaml
+          make CONTROLLER_IMAGE=${{ env.dockerhub_image_name }}:${{ github.ref_name }} controller.yaml controller-norbac.yaml
 
       # Setup env for multi-arch builds
       - name: Set up QEMU
@@ -69,18 +70,31 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GHRC
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: |
+            ${{ env.dockerhub_image_name }}
+            ${{ env.ghcr_image_name }}
       - name: Build and push
         id: docker_build
         uses: docker/build-push-action@v2
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm
           push: true
-          tags: ${{ env.image_name }}:latest,${{ env.image_name }}:${{ github.ref_name }}
-      - name: Sign image with a key
+          tags: ${{ steps.meta.outputs.tags }}
+      - name: Sign image with a key in GHCR
         run: |
-          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key $TAG_LATEST $TAG_CURRENT
+          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key $TAG_CURRENT
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          TAG_LATEST: ${{ env.image_name }}:latest
-          TAG_CURRENT: ${{ env.image_name }}:${{ github.ref_name }}
+          TAG_CURRENT: ${{ steps.meta.outputs.tags }}
+          COSIGN_REPOSITORY: ${{ env.ghcr_image_name }}/signs

README.md

@@ -54,6 +54,7 @@ original Secret from the SealedSecret.
   - [How do I update parts of JSON/YAML/TOML/.. file encrypted with sealed secrets?](#how-do-i-update-parts-of-jsonyamltoml-file-encrypted-with-sealed-secrets)
   - [Can I bring my own (pre-generated) certificates?](#can-i-bring-my-own-pre-generated-certificates)
   - [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace)
+  - [How to verify the images?](#how-to-verify-the-images)
 - [Community](#community)
   - [Related projects](#related-projects)
 
@@ -630,6 +631,23 @@ export SEALED_SECRETS_CONTROLLER_NAMESPACE=sealed-secrets
 kubeseal <mysecret.json >mysealedsecret.json
 ```
 
+### How to verify the images?
+
+Our images are being signed using [cosign](https://github.com/sigstore/cosign). The signatures have been saved in our [GitHub Container Registry](https://github.com/bitnami-labs/sealed-secrets/pkgs/container/sealed-secrets/signs).
+
+It is pretty simple to verify the images:
+
+```bash
+# export the COSIGN_VARIABLE setting up the GitHub container registry signs path
+export COSIGN_REPOSITORY=ghcr.io/bitnami-labs/sealed-secrets-controller/signs
+
+# verify the image uploaded in GHCR
+cosign verify --key .github/workflows/cosign.pub ghcr.io/bitnami-labs/sealed-secrets-controller:latest
+
+# verify the image uploaded in Dockerhub
+cosign verify --key .github/workflows/cosign.pub docker.io/bitnami/sealed-secrets-controller:latest
+```
+
 ## Community
 
 - [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets)