feat: Use Chainguard's cosign image, drop dependency on cosign-installer

EyeCantCU · Jan 6, 2024 · e1ba146 · e1ba146
1 parent 11f8c11
commit e1ba146
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 9 deletions.
diff --git a/sign/action.yml b/sign/action.yml
@@ -28,15 +28,12 @@ runs:
         username: ${{ github.actor }}
         password: ${{ inputs.registry-token }}
 
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Sign container image
       shell: bash
       run: |
         REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
         for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
+          docker run cgr.dev/chainguard/cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
         done
       env:
         CONTAINERS: ${{ inputs.containers }}

diff --git a/verify/action.yml b/verify/action.yml
@@ -26,17 +26,14 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Verify container
       shell: bash
       run: |
         REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
         set -o pipefail
         if [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
           for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
+            if ! docker run cgr.dev/chainguard/cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
               echo "NOTICE: Verification failed. Please ensure your public key is correct."
               if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
                 exit 1
@@ -45,7 +42,7 @@ runs:
           done
         elif [[ -n "${{ inputs.pubkey }}" ]]; then
           for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
+            if ! docker run cgr.dev/chainguard/cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
               echo "NOTICE: Verification failed. Please ensure your public key is correct."
               if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
                 exit 1