From 287cc21981c0d3a7e692633f399207b538922302 Mon Sep 17 00:00:00 2001 From: Michael 'Flimmy' Flemming Date: Fri, 28 Nov 2025 11:13:26 +0100 Subject: [PATCH] add image signing with notation --- .woodpecker.star | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/.woodpecker.star b/.woodpecker.star index 7905856691..a57bc980d4 100644 --- a/.woodpecker.star +++ b/.woodpecker.star @@ -27,6 +27,7 @@ OC_LITMUS = "owncloudci/litmus:latest" OC_UBUNTU = "owncloud/ubuntu:20.04" ONLYOFFICE_DOCUMENT_SERVER = "onlyoffice/documentserver:7.5.1" PLUGINS_DOCKER_BUILDX = "woodpeckerci/plugin-docker-buildx:latest" +PLUGINS_NOTATION = "registry.heinlein.group/opencloud/notation-wp-plugin:latest" PLUGINS_GITHUB_RELEASE = "woodpeckerci/plugin-release" PLUGINS_GIT_ACTION = "quay.io/thegeeklab/wp-git-action" PLUGINS_S3 = "plugins/s3:1" @@ -1661,8 +1662,8 @@ def dockerRelease(ctx, repo, build_type): tag_parts = tag_version.split("-") # if a tag has something appended with "-" i.e. alpha, beta, rc1... - # set the entire string as tag, else leave empty to autotag with latest - hard_tag = tag_version if len(tag_parts) > 1 else "" + # set the entire string as tag, else tag with latest (same as empty with current plugin) + hard_tag = tag_version if len(tag_parts) > 1 else "latest" depends_on = getPipelineNames(getGoBinForTesting(ctx)) @@ -1751,6 +1752,36 @@ def dockerRelease(ctx, repo, build_type): event["tag"], ], }, + { + "name": "notation-signing", + "image": PLUGINS_NOTATION, + "settings": { + "key": { + "from_secret": "notation_key", + }, + "crt": { + "from_secret": "notation_cert", + }, + "target": "registry.heinlein.group/%s:%s" % (repo, hard_tag), + "pull_image": True, + "logins": [ + { + "registry": "https://registry.heinlein.group", + "username": { + "from_secret": "harbor_opencloudeu_user", + }, + "password": { + "from_secret": "harbor_opencloudeu_password", + }, + }, + ], + }, + "when": [ + event["cron"], + event["base"], + event["tag"], + ], + }, ], "depends_on": depends_on, "when": [