From e9ee59a9e6a215ffca4a79fad334d2a666a96971 Mon Sep 17 00:00:00 2001 From: Bradley Reynolds Date: Fri, 30 Aug 2024 22:50:49 -0500 Subject: [PATCH] Replace Cosign with GitHub native attestation No longer double signing. Signed-off-by: Bradley Reynolds --- .github/workflows/container-build-push.yaml | 22 +-------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/.github/workflows/container-build-push.yaml b/.github/workflows/container-build-push.yaml index 78e4120..eca5e49 100644 --- a/.github/workflows/container-build-push.yaml +++ b/.github/workflows/container-build-push.yaml @@ -26,18 +26,11 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio. - id-token: write # Used by actions/attest-build-provenance + id-token: write attestations: write steps: - - name: "Install cosign" - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - with: - cosign-release: "v1.13.6" - - name: "Setup Docker buildx" uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 @@ -71,19 +64,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - # Sign the resulting Docker image digest. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: "Sign the published Docker image" - if: ${{ inputs.push }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} - - name: Generate artifact attestation if: ${{ inputs.push }} uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0