Merge pull request #3265 from LeSuisse/sign-container-image-cosign

Sign container image using Cosign in keyless mode
Merge pull request #5611 from martin-g/faster-stats-mod-it-tests
2025-11-22 04:36:32 +00:00 · 2025-06-09 09:52:09 +00:00 · 2025-06-09 09:50:12 +00:00 · 2025-06-04 13:08:13 +03:00 · 2025-06-04 13:08:13 +03:00 · 2025-06-04 13:08:13 +03:00
2 changed files with 27 additions and 10 deletions
--- a/.github/workflows/publish-docker-images.yml
+++ b/.github/workflows/publish-docker-images.yml
@@ -16,6 +16,8 @@ on:
 jobs:
  docker:
    runs-on: docker
+    permissions:
+      id-token: write # This is needed to use Cosign in keyless mode
    steps:
      - uses: actions/checkout@v3

@@ -62,6 +64,9 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Install cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # tag=v3.8.2
+
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
@@ -85,6 +90,7 @@ jobs:

      - name: Build and push
        uses: docker/build-push-action@v6
+        id: build-and-push
        with:
          push: true
          platforms: linux/amd64,linux/arm64
@@ -94,6 +100,17 @@ jobs:
            COMMIT_DATE=${{ steps.build-metadata.outputs.date }}
            GIT_TAG=${{ github.ref_name }}

+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
      # /!\ Don't touch this without checking with Cloud team
      - name: Send CI information to Cloud team
        # Do not send if nightly build (i.e. 'schedule' or 'workflow_dispatch' event)
--- a/crates/meilisearch/tests/stats/mod.rs
+++ b/crates/meilisearch/tests/stats/mod.rs
@@ -6,8 +6,8 @@ use crate::common::Server;
 use crate::json;

 #[actix_rt::test]
-async fn get_settings_unexisting_index() {
-    let server = Server::new().await;
+async fn get_version() {
+    let server = Server::new_shared();
    let (response, code) = server.version().await;
    assert_eq!(code, 200);
    let version = response.as_object().unwrap();
@@ -18,7 +18,7 @@ async fn get_settings_unexisting_index() {

 #[actix_rt::test]
 async fn test_healthyness() {
-    let server = Server::new().await;
+    let server = Server::new_shared();

    let (response, status_code) = server.service.get("/health").await;
    assert_eq!(status_code, 200);
@@ -55,7 +55,7 @@ async fn stats() {
    ]);

    let (response, code) = index.add_documents(documents, None).await;
-    assert_eq!(code, 202, "{}", response);
+    assert_eq!(code, 202, "{response}");
    assert_eq!(response["taskUid"], 1);

    index.wait_task(response.uid()).await.succeeded();
@@ -78,8 +78,8 @@ async fn stats() {

 #[actix_rt::test]
 async fn add_remove_embeddings() {
-    let server = Server::new().await;
-    let index = server.index("doggo");
+    let server = Server::new_shared();
+    let index = server.unique_index();

    let (response, code) = index
        .update_settings(json!({
@@ -216,8 +216,8 @@ async fn add_remove_embeddings() {

 #[actix_rt::test]
 async fn add_remove_embedded_documents() {
-    let server = Server::new().await;
-    let index = server.index("doggo");
+    let server = Server::new_shared();
+    let index = server.unique_index();

    let (response, code) = index
        .update_settings(json!({
@@ -293,8 +293,8 @@ async fn add_remove_embedded_documents() {

 #[actix_rt::test]
 async fn update_embedder_settings() {
-    let server = Server::new().await;
-    let index = server.index("doggo");
+    let server = Server::new_shared();
+    let index = server.unique_index();

    // 2 embedded documents for 3 embeddings in total
    // but no embedders are added in the settings yet so we expect 0 embedded documents for 0 embeddings in total
Author	SHA1	Message	Date
Tamo	40af2c7679	Merge pull request #3265 from LeSuisse/sign-container-image-cosign Sign container image using Cosign in keyless mode	2025-06-09 09:52:09 +00:00
Tamo	5b5b7ee998	Merge pull request #5611 from martin-g/faster-stats-mod-it-tests tests: Fater stats::mod IT tests	2025-06-09 09:50:12 +00:00
Martin Tzvetanov Grigorov	0557a4dd2f	Trigger build Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>	2025-06-04 13:08:13 +03:00
Martin Tzvetanov Grigorov	930d5a09a8	Use unique server + its own index for #stats() test Using a shared server will make this test fragile Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>	2025-06-04 13:08:13 +03:00
Martin Tzvetanov Grigorov	8b0c4291ae	tests: Fater stats::mod IT tests Use shared server + unique indices Related-to: https://github.com/meilisearch/meilisearch/issues/4840 Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>	2025-06-04 13:08:13 +03:00
Thomas Gerbet	077255ce6d	Sign container image using Cosign in keyless mode Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance [2]. Cosign keyless mode has already been adopted by some major projects like Kubernetes [3]. The image signature can be manually verified using: ``` $ cosign verify \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/meilisearch/meilisearch/.github/workflows/publish-docker-images.yaml' \ <image_name> ``` See #2179. Note that a similar approach can be used to sign the release binaries. [0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect [1] https://docs.sigstore.dev/cosign/signing/signing_with_containers/ [2] https://docs.sigstore.dev/rekor/overview [3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures	2025-04-23 15:26:00 +02:00