diff --git a/.github/workflows/test-iso.yml b/.github/workflows/test-iso.yml index 0465b1b9..c9c84a57 100644 --- a/.github/workflows/test-iso.yml +++ b/.github/workflows/test-iso.yml @@ -18,9 +18,14 @@ jobs: container: image: fedora:39 options: "--privileged" + env: + GITHUB_HOST: ${{ github.server_url }} + ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }} + ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }} permissions: contents: read packages: write + id-token: write strategy: fail-fast: false matrix: @@ -55,4 +60,4 @@ jobs: run: exit 1 - name: Exit shell: bash - run: exit 0 \ No newline at end of file + run: exit 0 diff --git a/action.yml b/action.yml index 83438cd9..a5eb49c4 100644 --- a/action.yml +++ b/action.yml @@ -74,6 +74,9 @@ runs: ref: ${{ inputs.ACTION_REF }} submodules: recursive + - name: install cosign + uses: sigstore/cosign-installer@v3.4.0 + - name: Install dependencies shell: bash run: make install-deps @@ -124,6 +127,18 @@ runs: sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/ + - name: sign checksum + shell: bash + env: + COSIGN_YES: "true" + run: | + cosign sign-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle + cosign verify-blob \ + ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM \ + --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle + --certificate-identity-regexp 'https://github.com/${{ github.workflow_ref }}' \ + --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' + - name: Upload ISO as artifact uses: actions/upload-artifact@v4 with: