bake: sign github actions cache blobs

crazy-max · crazy-max · commit 92be4da8d747 · 2025-12-15T13:07:34.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -143,7 +143,7 @@ on:
 
 env:
   BUILDX_VERSION: "v0.30.1"
-  BUILDKIT_IMAGE: "moby/buildkit:v0.26.2"
+  BUILDKIT_IMAGE: "crazymax/buildkit:6397"
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.67.0"
   COSIGN_VERSION: "v3.0.2"
   LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ -255,14 +255,16 @@ jobs:
               } else if (platforms.length === 0) {
                 includes.push({
                   index: 0,
-                  runner: runner === 'auto' ? 'ubuntu-24.04' : runner
+                  runner: runner === 'auto' ? 'ubuntu-24.04' : runner,
+                  tlogUpload: !privateRepo
                 });
               } else {
                 platforms.forEach((platform, index) => {
                   includes.push({
                     index: index,
                     platform: platform,
-                    runner: runner === 'auto' ? ((!privateRepo && platform.startsWith('linux/arm')) ? 'ubuntu-24.04-arm' : 'ubuntu-24.04') : runner
+                    runner: runner === 'auto' ? ((!privateRepo && platform.startsWith('linux/arm')) ? 'ubuntu-24.04-arm' : 'ubuntu-24.04') : runner,
+                    tlogUpload: !privateRepo
                   });
                 });
               }
@@ -340,13 +342,118 @@ jobs:
         if: ${{ inputs.setup-qemu }}
         with:
           image: ${{ inputs.qemu-image }}
+      -
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v3
       -
         name: Set up Docker Buildx
+        id: buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
         with:
           version: ${{ env.BUILDX_VERSION }}
           buildkitd-flags: --debug
-          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          driver-opts: |
+            image=${{ env.BUILDKIT_IMAGE }}
+            env.ACTIONS_ID_TOKEN_REQUEST_TOKEN=${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
+            env.ACTIONS_ID_TOKEN_REQUEST_URL=${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
+          buildkitd-config-inline: |
+            [cache]
+              [cache.gha]
+                [cache.gha.sign]
+                  command = ["ghacache-sign-script.sh"]
+                [cache.gha.verify]
+                  required = true
+                  [cache.gha.verify.policy]
+                    timestampTreshold = 1
+                    tlogThreshold = ${{ matrix.tlogUpload && '1' || '0' }}
+                    subjectAlternativeName = "https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml*"
+                    issuer = "https://token.actions.githubusercontent.com"
+                    runnerEnvironment = "github-hosted"
+      -
+        name: Install Cosign
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
+          INPUT_BUILDER-NAME: ${{ steps.buildx.outputs.name }}
+          INPUT_GHA-CACHE-SIGN-SCRIPT: |
+            #!/bin/sh
+            set -e
+
+            # Create temporary files
+            out_file=$(mktemp)
+            in_file=$(mktemp)
+            trap 'rm -f "$in_file" "$out_file"' EXIT
+            cat > "$in_file"
+
+            set -x
+
+            # Sign with cosign
+            cosign sign-blob \
+              --yes \
+              --oidc-provider github-actions \
+              --new-bundle-format \
+              --use-signing-config \
+              --bundle "$out_file" \
+              --tlog-upload=${{ matrix.tlogUpload }} \
+              "$in_file"
+
+            # Output bundle to stdout
+            cat "$out_file"
+        with:
+          script: |
+            const fs = require('fs');
+            const os = require('os');
+            const path = require('path');
+            
+            const { Buildx } = require('@docker/actions-toolkit/lib/buildx/buildx');
+            const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
+            const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
+            
+            const inpCosignVersion = core.getInput('cosign-version');
+            const inpBuilderName = core.getInput('builder-name');
+            const inpGHACacheSignScript = core.getInput('gha-cache-sign-script');
+
+            const cosignInstall = new Install();
+            const cosignBinPath = await cosignInstall.download(inpCosignVersion, false, true);
+            const cosignPath = await cosignInstall.install(cosignBinPath);
+
+            const cosign = new Cosign();
+            await cosign.printVersion();
+            
+            const containerName = `${Buildx.containerNamePrefix}${inpBuilderName}0`;
+            
+            const ghaCacheSignScriptPath = path.join(os.tmpdir(), `ghacache-sign-script.sh`);
+            core.info(`Writing GitHub Actions cache sign script to ${ghaCacheSignScriptPath}`);
+            await fs.writeFileSync(ghaCacheSignScriptPath, inpGHACacheSignScript);
+            
+            core.info(`Copying GitHub Actions cache sign script to BuildKit container ${containerName}`);
+            await exec.exec('docker', [
+              'cp',
+              ghaCacheSignScriptPath,
+              `${containerName}:/usr/bin/ghacache-sign-script.sh`
+            ]);
+            await exec.exec('docker', [
+              'exec',
+              containerName,
+              'chmod', '+x', '/usr/bin/ghacache-sign-script.sh'
+            ]);
+            await exec.exec('docker', [
+              'exec',
+              containerName,
+              'cat', '/usr/bin/ghacache-sign-script.sh'
+            ]);
+            
+            core.info(`Copying cosign binary to BuildKit container ${containerName}`);
+            await exec.exec('docker', [
+              'cp',
+              cosignPath,
+              `${containerName}:/usr/bin/cosign`
+            ]);
+            await exec.exec('docker', [
+              'exec',
+              containerName,
+              'chmod', '+x', '/usr/bin/cosign'
+            ]);
       -
         name: Prepare
         id: prepare
@@ -526,23 +633,6 @@ jobs:
             const imageDigest = inpMetadata[inpTarget]['containerimage.digest'];
             core.info(imageDigest);
             core.setOutput('digest', imageDigest);
-      -
-        name: Install Cosign
-        if: ${{ inputs.push }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        env:
-          INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
-        with:
-          script: |
-            const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
-            const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
-            
-            const cosignInstall = new Install();
-            const cosignBinPath = await cosignInstall.download(core.getInput('cosign-version'), false, true);
-            await cosignInstall.install(cosignBinPath);
-            
-            const cosign = new Cosign();
-            await cosign.printVersion();
       -
         name: Signing attestation manifests
         id: signing-attestation-manifests
