mirror/bazzite
1
0
Fork 0
mirror of https://github.com/ublue-os/bazzite.git synced 2025-04-16 08:42:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: Fix signing step in build.yml

Browse Source
This commit is contained in:
Kyle Gospodnetich 2023-03-04 16:45:59 -08:00
parent 3f03beddea
commit 04fa577f97
1 changed files with 13 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
.github/workflows/build.yml vendored
View File

@ -95,6 +95,7 @@ jobs:
- name: Push To GHCR - name: Push To GHCR
uses: redhat-actions/push-to-registry@v2 uses: redhat-actions/push-to-registry@v2
id: push id: push
if: github.event_name != 'pull_request'
env: env:
REGISTRY_USER: ${{ github.actor }} REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }} REGISTRY_PASSWORD: ${{ github.token }}
@ -106,42 +107,30 @@ jobs:
password: ${{ env.REGISTRY_PASSWORD }} password: ${{ env.REGISTRY_PASSWORD }}
extra-args: | extra-args: |
--disable-content-trust --disable-content-trust
# Sign container
- uses: sigstore/cosign-installer@main
- name: Write cosign keys to disk
run: |
echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
echo "${{ env.COSIGN_PUBLIC_KEY }}" > cosign.pub
# DEBUG: get character count of keys
wc -c cosign.key
wc -c cosign.pub
env:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
COSIGN_PUBLIC_KEY: ${{ secrets.SIGNING_PUBLIC }}
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v2 uses: docker/login-action@v2
if: github.event_name != 'pull_request'
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign container image # Sign container
run: | - uses: sigstore/cosign-installer@v3.0.1
cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} if: github.event_name != 'pull_request'
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
- name: Verify signed image - name: Sign container image
if: github.event_name != 'pull_request'
run: | run: |
cosign verify --key cosign.pub ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
wc -c cosign.key
cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env: env:
TAGS: ${{ steps.push.outputs.digest }} TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs - name: Echo outputs
if: github.event_name != 'pull_request'
run: | run: |
echo "${{ toJSON(steps.push.outputs) }}" echo "${{ toJSON(steps.push.outputs) }}"