|
15 | 15 | target:
|
16 | 16 | type: string
|
17 | 17 | default: ""
|
18 |
| - description: "The target to build the image for comma separated list of targets" |
| 18 | + description: "A comma separated list of targets to build. If empty, all targets will be built." |
19 | 19 |
|
20 | 20 | jobs:
|
21 | 21 | # Start by building images for testing. We want to run security checks before pushing those to production.
|
|
26 | 26 | contents: read
|
27 | 27 | packages: write
|
28 | 28 | security-events: write
|
| 29 | + # Required by the cosign step |
29 | 30 | id-token: write
|
30 | 31 | outputs:
|
31 | 32 | metadata: ${{ steps.build.outputs.metadata }}
|
@@ -71,12 +72,14 @@ jobs:
|
71 | 72 | # Even if we're testing we sign the images, so we can push them to production later if that's required
|
72 | 73 | - name: Install cosign
|
73 | 74 | uses: sigstore/cosign-installer@v3
|
74 |
| - - name: Check Cosign install |
75 |
| - run: cosign version |
76 |
| - - name: Sign images using Cosing |
| 75 | + # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ |
| 76 | + # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on |
| 77 | + # how to use cosign. |
| 78 | + - name: Sign images |
77 | 79 | run: |
|
78 |
| - images="" |
79 |
| - images=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[] | "\(.["image.name"]) \(.["containerimage.digest"])"' | awk -F' ' '{split($1, a, ","); for(i in a) print a[i] "@" $2}' | tr '\n' ' ') |
| 80 | + images=$(echo '${{ steps.build.outputs.metadata }}' | |
| 81 | + jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' |
| 82 | + ) |
80 | 83 | cosign sign --yes ${images}
|
81 | 84 |
|
82 | 85 | security:
|
@@ -161,3 +164,15 @@ jobs:
|
161 | 164 | revision: ${{ github.sha }}
|
162 | 165 | with:
|
163 | 166 | push: true
|
| 167 | + |
| 168 | + - name: Install cosign |
| 169 | + uses: sigstore/cosign-installer@v3 |
| 170 | + # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ |
| 171 | + # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on |
| 172 | + # how to use cosign. |
| 173 | + - name: Sign images |
| 174 | + run: | |
| 175 | + images=$(echo '${{ steps.build.outputs.metadata }}' | |
| 176 | + jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' |
| 177 | + ) |
| 178 | + cosign sign --yes ${images} |
0 commit comments