Skip to content

Commit 5350be1

Browse files
committed
ci: sign also prod images
Signed-off-by: Francesco Canovai <[email protected]>
1 parent 1387cf2 commit 5350be1

File tree

1 file changed

+21
-6
lines changed

1 file changed

+21
-6
lines changed

.github/workflows/bake.yaml

+21-6
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ on:
1515
target:
1616
type: string
1717
default: ""
18-
description: "The target to build the image for comma separated list of targets"
18+
description: "A comma separated list of targets to build. If empty, all targets will be built."
1919

2020
jobs:
2121
# Start by building images for testing. We want to run security checks before pushing those to production.
@@ -26,6 +26,7 @@ jobs:
2626
contents: read
2727
packages: write
2828
security-events: write
29+
# Required by the cosign step
2930
id-token: write
3031
outputs:
3132
metadata: ${{ steps.build.outputs.metadata }}
@@ -71,12 +72,14 @@ jobs:
7172
# Even if we're testing we sign the images, so we can push them to production later if that's required
7273
- name: Install cosign
7374
uses: sigstore/cosign-installer@v3
74-
- name: Check Cosign install
75-
run: cosign version
76-
- name: Sign images using Cosing
75+
# See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
76+
# and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
77+
# how to use cosign.
78+
- name: Sign images
7779
run: |
78-
images=""
79-
images=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[] | "\(.["image.name"]) \(.["containerimage.digest"])"' | awk -F' ' '{split($1, a, ","); for(i in a) print a[i] "@" $2}' | tr '\n' ' ')
80+
images=$(echo '${{ steps.build.outputs.metadata }}' |
81+
jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
82+
)
8083
cosign sign --yes ${images}
8184
8285
security:
@@ -161,3 +164,15 @@ jobs:
161164
revision: ${{ github.sha }}
162165
with:
163166
push: true
167+
168+
- name: Install cosign
169+
uses: sigstore/cosign-installer@v3
170+
# See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
171+
# and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
172+
# how to use cosign.
173+
- name: Sign images
174+
run: |
175+
images=$(echo '${{ steps.build.outputs.metadata }}' |
176+
jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
177+
)
178+
cosign sign --yes ${images}

0 commit comments

Comments
 (0)