chore: Fix signing step in build.yml

2025-02-20 15:40:35 +00:00 · 2023-03-04 16:45:59 -08:00 · 2023-03-04 16:45:59 -08:00 · 04fa577f97
commit 04fa577f97
parent 3f03beddea
1 changed files with 13 additions and 24 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -95,6 +95,7 @@ jobs:
      - name: Push To GHCR
        uses: redhat-actions/push-to-registry@v2
        id: push
+        if: github.event_name != 'pull_request'
        env:
          REGISTRY_USER: ${{ github.actor }}
          REGISTRY_PASSWORD: ${{ github.token }}
@ -106,42 +107,30 @@ jobs:
          password: ${{ env.REGISTRY_PASSWORD }}
          extra-args: |
            --disable-content-trust
-
-      # Sign container
-      - uses: sigstore/cosign-installer@main
-
-      - name: Write cosign keys to disk
-        run: |
-          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
-          echo "${{ env.COSIGN_PUBLIC_KEY }}" > cosign.pub
-          # DEBUG: get character count of keys
-          wc -c cosign.key
-          wc -c cosign.pub
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
-          COSIGN_PUBLIC_KEY: ${{ secrets.SIGNING_PUBLIC }}
-
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
+        if: github.event_name != 'pull_request'
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Sign container image
-        run: |
-          cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
-        env:
-          TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_EXPERIMENTAL: false
+      # Sign container
+      - uses: sigstore/cosign-installer@v3.0.1
+        if: github.event_name != 'pull_request'

-      - name: Verify signed image
+      - name: Sign container image
+        if: github.event_name != 'pull_request'
        run: |
-          cosign verify --key cosign.pub ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
+          wc -c cosign.key
+          cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
        env:
          TAGS: ${{ steps.push.outputs.digest }}
          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

      - name: Echo outputs
+        if: github.event_name != 'pull_request'
        run: |
-          echo "${{ toJSON(steps.push.outputs) }}"
+          echo "${{ toJSON(steps.push.outputs) }}"