Skip to content

Sign published image manifests with cosign#376

Closed
Wuodan wants to merge 6 commits intonikolaik:mainfrom
Wuodan:upstream-PR/03-sign-image-manifests-with-cosign
Closed

Sign published image manifests with cosign#376
Wuodan wants to merge 6 commits intonikolaik:mainfrom
Wuodan:upstream-PR/03-sign-image-manifests-with-cosign

Conversation

@Wuodan
Copy link

@Wuodan Wuodan commented Mar 17, 2026
edited
Loading

Add keyless cosign signing for the published multi-arch manifests, including the canonical version tags and latest. The workflow now requests the OIDC token permission needed for GitHub-backed signing and signs the final manifest digests after publication.

This PR includes the commits of PR #375 while the actual change for this PR is only the last commit for cosign.

If you don't merge the other PR, then adding cosign support to the existing manifest-process in a similar way is quite simple.

Wuodan added 5 commits March 17, 2026 02:30
@Wuodan
Make workflow image name overrideable from Actions vars
7ca4944 
Keep nikolaik/python-nodejs as the default image name in the workflow, but resolve it through a GitHub Actions variable so forks can publish to a different image without changing the repository.

Forks can set IMAGE_NAME in Actions variables or in workflow run configuration. That keeps the default behavior unchanged here while avoiding fork-specific edits in PRs.
@Wuodan
Add manual deploy trigger with run-time overrides
e59a27e 
Allow manual workflow runs from GitHub Actions with a force option and an optional IMAGE_NAME override.
This makes it possible to test publish flows without overwriting the real published images tags.
@Wuodan
Build images natively per architecture
95ce711 
Replace the QEMU-based multi-platform build with native amd64 and arm64 runner jobs, then publish the final image tags by assembling a manifest from the architecture-specific tags. Fixes nikolaik#258.

Run the smoke test suite against each architecture-specific image before publishing the final manifest, instead of only testing the locally loaded amd64 image. The build-matrix helper now emits an architecture-expanded matrix for the workflow, and the new unit test covers that expansion. Fixes nikolaik#314.
@Wuodan
Build and test architecture images before push
50e6cee 
Split the per-architecture workflow so each image is built locally, smoke-tested, and only then pushed to Docker Hub as an architecture-specific tag.

This avoids publishing untested architecture images and keeps Docker Hub out of the build phase, so public base-image pulls are no longer attributed to the authenticated Docker Hub account.
@Wuodan
Create manifests locally before pushing to Docker Hub
6f07c01 
Replace the deploy-side use of `docker buildx imagetools create` with a local `docker manifest create` followed by authenticated `docker manifest push`.

This keeps the manifest assembly step anonymous and delays Docker Hub login until the actual publish step, which reduces authenticated rate-limit failures during multi-arch manifest publication.
@Wuodan Wuodan force-pushed the upstream-PR/03-sign-image-manifests-with-cosign branch from 2a526c8 to 256b7de Compare March 17, 2026 02:36
@Wuodan
Sign published image manifests with cosign
aacaa21 
Add keyless cosign signing for the published multi-arch manifests, including the canonical version tags and latest. The workflow now requests the OIDC token permission needed for GitHub-backed signing and signs the final manifest digests after publication.
@Wuodan Wuodan force-pushed the upstream-PR/03-sign-image-manifests-with-cosign branch from 256b7de to aacaa21 Compare March 17, 2026 02:59
@Wuodan
Copy link
Author

Wuodan commented Mar 17, 2026

Dropping this PR as signing with cosign performs pull under the hood and I hit the rate limit on docker.io:

Run cosign sign --yes "${IMAGE_NAME}@sha256:f8af92cacb87ccdb523239249ff5ded8aa6a669919e3f93a58f1582267107dda"
Error: signing [***/python-nodejs@sha256:f8af92cacb87ccdb523239249ff5ded8aa6a669919e3f93a58f1582267107dda]: accessing image: GET https://index.docker.io/v2/***/python-nodejs/manifests/sha256:f8af92cacb87ccdb523239249ff5ded8aa6a669919e3f93a58f1582267107dda: TOOMANYREQUESTS: You have reached your pull rate limit as '***': dckr_jti_YPZNbt7-OWAQxVK43uL1XFcyYXU=. You may increase the limit by upgrading. https://www.docker.com/increase-rate-limit
error during command execution: signing [***/python-nodejs@sha256:f8af92cacb87ccdb523239249ff5ded8aa6a669919e3f93a58f1582267107dda]: accessing image: GET https://index.docker.io/v2/***/python-nodejs/manifests/sha256:f8af92cacb87ccdb523239249ff5ded8aa6a669919e3f93a58f1582267107dda: TOOMANYREQUESTS: You have reached your pull rate limit as '***': dckr_jti_YPZNbt7-OWAQxVK43uL1XFcyYXU=. You may increase the limit by upgrading. https://www.docker.com/increase-rate-limit
Error: Process completed with exit code 1.

@Wuodan Wuodan closed this Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Wuodan