request #41087 Sign our dev/test Docker images using GitHub ephemeral OIDC token

Infos

Artifact ID#41087

Submitted byThomas Gerbet (tgerbet)

Last Modified On2024-12-05 15:44

Submitted on2024-12-05 11:44

Rank42797

Details

Summary *

Sign our dev/test Docker images using GitHub ephemeral OIDC token

Original Submission

These images are currently signed using a static key hosted on our HC Vault instance. Given they are hosted on GH and built using GitHub Actions we could sign them using the "keyless" signing mode. It gives us a similar level of trust and we do not need to provide access to our infrastructure.

CategoryDev tools

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2024-12-05

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #41087

Git commit

tuleap/tuleap/stable

chore: Adjust signature verification when we retrieve the dev Docker images 305a2ace80

Thomas Gerbet (tgerbet) , 2024-12-05 14:38

Show items referenced by request #41087

Referenced by request #41087

Artifact

rel #37902 16.3

Other

Follow-ups

Thomas Gerbet (tgerbet)

2024-12-05 15:44

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #37902
Close date set to 2024-12-05

Thomas Gerbet (tgerbet)

2024-12-05 15:26

Last part in gerrit #32644

Status changed from Under implementation to Under review

Thomas Gerbet (tgerbet)

2024-12-05 14:15

Other repositories have also been adjusted.

https://github.com/Enalean/docker-tuleap-test-phpunit/pull/74
https://github.com/Enalean/docker-ldap/pull/44
https://github.com/Enalean/docker-tuleap-aio-dev/pull/75
https://github.com/Enalean/bz2tuleap/pull/258

Joris MASSON (jmasson)

2024-12-05 12:45

https://github.com/Enalean/docker-tuleap-test-rest/pull/58 merged