Skip to content

Commit

Permalink
feat(action): Support passing multiple containers
Browse files Browse the repository at this point in the history
  • Loading branch information
@EyeCantCU
EyeCantCU committed Dec 24, 2023
1 parent 05ef0e8 commit 9060e51
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 15 deletions.
6 changes: 4 additions & 2 deletions .github/workflows/test-actions.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,16 +114,18 @@ jobs:
- name: Sign image
uses: ./sign
with:
container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
containers: ${{ matrix.image_name }}
registry: ghcr.io/${{ github.repository_owner }}
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: ${{ steps.push.outputs.digest }}

- name: Verify image
uses: ./verify
with:
container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
containers: ${{ matrix.image_name }}
pubkey: ./cosign.pub
registry: ghcr.io/${{ github.repository_owner }}

- name: Echo outputs
if: github.event_name != 'pull_request'
Expand Down
13 changes: 7 additions & 6 deletions sign/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ name: 'Cosign Action - Sign'
author: 'EyeCantCU'
description: 'Signs target container'
inputs:
container:
description: 'Name of target container to sign'
containers:
description: 'Names of target containers to sign'
required: true
registry-token:
description: 'Password for container registry'
Expand Down Expand Up @@ -35,17 +35,18 @@ runs:
uses: sigstore/cosign-installer@v3.3.0

# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase container path
id: container_path
- name: Normalize registry
id: normalized_registry
shell: bash
run: |
echo ${{ inputs.registry }}/${{ inputs.container }} | awk '{print tolower($0)}'
echo ${{ inputs.registry }} | awk '{print tolower($0)}'
- name: Sign container image
shell: bash
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.container_path.outputs }}@${TAGS}
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.normalized_registry.outputs }}/${CONTAINERS}@${TAGS}
env:
CONTAINERS: ${{ inputs.containers }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
TAGS: ${{ inputs.tags }}
15 changes: 8 additions & 7 deletions verify/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ inputs:
cert-identity:
description: 'The identity certificate'
required: false
container:
description: 'Name of the target container to verify'
containers:
description: 'Names of the target containers to verify'
required: true
pubkey:
description: 'Public key used by target container'
Expand All @@ -24,21 +24,22 @@ runs:
uses: sigstore/cosign-installer@v3.3.0

# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase container path
id: container_path
- name: Normalize registry
id: normalized_registry
shell: bash
run: |
echo ${{ inputs.registry }}/${{ inputs.container }} | awk '{print tolower($0)}'
echo ${{ inputs.registry }} | awk '{print tolower($0)}'
- name: Verify container
shell: bash
run: |
if [[ -n "${{ inputs.pubkey }}" ]]; then
cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_path.outputs }}
cosign verify --key ${{ inputs.pubkey }} ${{ steps.normalized_registry.outputs }}/${CONTAINERS}
elif [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
cosign verify ${{ steps.container_path.outputs }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
cosign verify ${{ steps.normalized_registry.outputs }}/${CONTAINERS} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
else
exit 1
fi
env:
CONTAINERS: ${{ inputs.containers }}
COSIGN_EXPERIMENTAL: false

0 comments on commit 9060e51

Please sign in to comment.