mirror of
https://github.com/ublue-os/bazzite.git
synced 2025-01-08 18:48:45 +00:00
49 lines
1.4 KiB
YAML
49 lines
1.4 KiB
YAML
name: Sign Image
|
|
|
|
# A workflow to sign an image on demand
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
image:
|
|
description: 'Image to sign, including the tag'
|
|
required: true
|
|
|
|
jobs:
|
|
sign:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Get digest
|
|
id: get-digest
|
|
env:
|
|
IMAGE_TO_SIGN: ${{ inputs.image }}
|
|
run: |
|
|
digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}')
|
|
name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}')
|
|
echo "DIGEST=$digest" >> $GITHUB_OUTPUT
|
|
echo "NAME=$name" >> $GITHUB_OUTPUT
|
|
|
|
- name: Setup Cosign
|
|
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
|
|
|
- name: Sign Image
|
|
env:
|
|
SIGNING_KEY: ${{ secrets.SIGNING_SECRET }}
|
|
IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }}
|
|
IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }}
|
|
run: |
|
|
cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST
|