2024-07-21 19:37:48 +00:00
|
|
|
name: Sign Image
|
|
|
|
|
|
|
|
|
|
# A workflow to sign an image on demand
|
|
|
|
|
|
|
|
|
|
on:
|
|
|
|
|
workflow_dispatch:
|
|
|
|
|
inputs:
|
|
|
|
|
image:
|
|
|
|
|
description: 'Image to sign, including the tag'
|
|
|
|
|
required: true
|
|
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
|
sign:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
permissions:
|
|
|
|
|
contents: read
|
|
|
|
|
packages: write
|
|
|
|
|
steps:
|
|
|
|
|
- name: Checkout code
|
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
|
|
|
|
|
|
- name: Login to GHCR
|
2024-07-22 11:18:46 +00:00
|
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
|
2024-07-21 19:37:48 +00:00
|
|
|
with:
|
|
|
|
|
registry: ghcr.io
|
|
|
|
|
username: ${{ github.actor }}
|
|
|
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
|
|
|
|
|
|
- name: Get digest
|
|
|
|
|
id: get-digest
|
|
|
|
|
env:
|
|
|
|
|
IMAGE_TO_SIGN: ${{ inputs.image }}
|
|
|
|
|
run: |
|
|
|
|
|
digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}')
|
|
|
|
|
name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}')
|
|
|
|
|
echo "DIGEST=$digest" >> $GITHUB_OUTPUT
|
|
|
|
|
echo "NAME=$name" >> $GITHUB_OUTPUT
|
|
|
|
|
|
|
|
|
|
- name: Setup Cosign
|
2024-10-08 07:08:19 +00:00
|
|
|
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
2024-07-21 19:37:48 +00:00
|
|
|
|
|
|
|
|
- name: Sign Image
|
|
|
|
|
env:
|
|
|
|
|
SIGNING_KEY: ${{ secrets.SIGNING_SECRET }}
|
|
|
|
|
IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }}
|
|
|
|
|
IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }}
|
|
|
|
|
run: |
|
|
|
|
|
cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST
|
