From b72a6f400215fa77d4666ced1514c1a008ecb02d Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Mon, 18 Dec 2023 19:39:43 -0700 Subject: [PATCH] feat(verify): Support verification of multiple containers at once --- .github/workflows/test-actions.yml | 2 +- verify/action.yml | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml index 1d9f51d..34e23cb 100644 --- a/.github/workflows/test-actions.yml +++ b/.github/workflows/test-actions.yml @@ -122,7 +122,7 @@ jobs: - name: Verify image uses: ./verify with: - container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }} + containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }} pubkey: ./cosign.pub - name: Echo outputs diff --git a/verify/action.yml b/verify/action.yml index 835d79c..b3920d7 100644 --- a/verify/action.yml +++ b/verify/action.yml @@ -5,8 +5,8 @@ inputs: cert-identity: description: 'The identity certificate' required: false - container: - description: 'Path to target container to verify' + containers: + description: 'Paths to target containers' required: true pubkey: description: 'Public key used by target container' @@ -31,11 +31,12 @@ runs: shell: bash run: if [[ -n ${{ inputs.pubkey }} ]]; then - cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }} + cosign verify --key ${{ inputs.pubkey }} env://CONTAINERS[@] elif [[ -n ${{ inputs.cert-identity }} && -n ${{ inputs.oidc-issuer }} ]]; then - cosign verify ${{ inputs.container }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} + cosign verify env://CONTAINERS[@] --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} else exit 1 fi env: + CONTAINERS: ${{ steps.container_case.outputs.lowercase }} COSIGN_EXPERIMENTAL: false