forked from ublue-os/bazzite
-
Notifications
You must be signed in to change notification settings - Fork 0
48 lines (41 loc) · 1.37 KB
/
sign_image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Sign Image
# A workflow to sign an image on demand
on:
workflow_dispatch:
inputs:
image:
description: 'Image to sign, including the tag'
required: true
jobs:
sign:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get digest
id: get-digest
env:
IMAGE_TO_SIGN: ${{ inputs.image }}
run: |
digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}')
name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}')
echo "DIGEST=$digest" >> $GITHUB_OUTPUT
echo "NAME=$name" >> $GITHUB_OUTPUT
- name: Setup Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Sign Image
env:
SIGNING_KEY: ${{ secrets.SIGNING_SECRET }}
IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }}
IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }}
run: |
cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST