Skip to content

Sign container image with Sigstore cosign #28

Sign container image with Sigstore cosign

Sign container image with Sigstore cosign #28

Workflow file for this run

name: ci
on:
pull_request:
permissions:
contents: read
id-token: write
packages: write
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Fetch all tags
run: git fetch --force --tags
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- name: Run Go Vet
run: go vet ./...
- name: Run Go Tests
run: go test ./... -cover -race
- name: Build binary
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: '~> v2'
args: build --snapshot
- name: Install license check tool
run: go install github.com/google/addlicense@v1
- name: Check licenses
run: addlicense -l apache -check -v -ignore '**/*.yaml' -c Humanitec ./cmd ./internal/
- name: Build docker image
uses: docker/build-push-action@v6
with:
context: .
push: false
load: true
tags: score-compose:test
- name: Test docker image
run: |
docker run --rm score-compose:test --version
docker run -v .:/score-compose --rm score-compose:test init
cat score.yaml
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign container image
run: |
cosign sign --yes ghcr.io/score-spec/score-compose@sha256:02b7118bc4c514af6ac7514dd563cf8ea1ce5725a3d487c351215cb51e7f7b11