From e7d18c4980cf5c942c191b240ce081a43bf12a6b Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Wed, 9 Oct 2024 13:02:18 +0200 Subject: [PATCH] feat: verify signed image and chart Signed-off-by: Bence Csati test Signed-off-by: Bence Csati test Signed-off-by: Bence Csati test Signed-off-by: Bence Csati feat: verify signed image and chart Signed-off-by: Bence Csati feat: verify signed image and chart Signed-off-by: Bence Csati feat: verify signed image and chart Signed-off-by: Bence Csati --- .github/workflows/artifacts.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index af6fa2278..9866d93ac 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -135,6 +135,13 @@ jobs: cosign sign --yes ${images} + - name: Verify signed image with cosign + if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization + run: | + cosign verify "${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" \ + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" + - name: Set image ref id: image-ref run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" @@ -227,7 +234,19 @@ jobs: if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization env: PACKAGE: ${{ steps.build.outputs.package }} - run: cosign sign-blob --yes $PACKAGE + run: | + cosign sign-blob --yes $PACKAGE \ + --bundle "$PACKAGE.cosign.bundle" + + - name: Verify signed chart with cosign + if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization + env: + PACKAGE: ${{ steps.build.outputs.package }} + run: | + cosign verify-blob $PACKAGE \ + --bundle "$PACKAGE.cosign.bundle" \ + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" - name: Upload chart as artifact uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3