From 31decb7f862500348c0afa4f88c3360ddee556c7 Mon Sep 17 00:00:00 2001 From: Sam Clark <1059176+samhclark@users.noreply.github.com> Date: Fri, 18 Oct 2024 22:01:34 -0500 Subject: [PATCH] Sign with the new keys --- .github/workflows/build.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7ec754e..d434e54 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -23,6 +23,12 @@ jobs: - name: Checkout uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Install cosign + if: ${{ github.event_name != 'pull_request' }} + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + with: + cosign-release: 'v2.4.1' + - name: Build image id: build uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 @@ -58,7 +64,19 @@ jobs: subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true - + + - name: Sign the published OCI image + if: ${{ github.event_name != 'pull_request' }} + env: + digest: ${{ steps.push.outputs.digest }} + fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + run: > + echo "${fully_qualified_image_names_json}" + | jq -r '.[]' + | xargs -I {} cosign sign --key=env://COSIGN_PRIVATE_KEY "{}@${digest}" + - name: Echo outputs for auditing if: github.event_name != 'pull_request' run: |