Commit 9477b123 authored by Sheogorath's avatar Sheogorath 🎓

Add info about image digest to allow end-to-end verification

Currently the image is pushed to quay.io but since container images are
not signed, there is no gurantee that the correct image is provided by
quay.

This patch provides the image's SHA256 digest as part of the build
process so it's possible to verify that the correct image is up and
downlaoded.

This is a first, basic setup to allow better audits of the images. In
future container images should get signed, but this requires some
additional work.
parent 2dd2beab
Pipeline #1694 passed with stages
in 6 minutes and 46 seconds
......@@ -18,8 +18,11 @@ build:
stage: build
script:
- podman build --pull --build-arg VERSION -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
- echo "Image \"$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG\" Digest:"
- podman images --format "{{ .Digest }}" "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
- podman push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
testing:
stage: test
before_script:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment