-
Notifications
You must be signed in to change notification settings - Fork 0
65 lines (55 loc) · 2.02 KB
/
sign-image.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: Sign Image & SBOM
on:
workflow_call:
inputs:
### Values from CICD Workflow ###
REGISTRY:
required: true
type: string
description: 'The Environemnt which should be used.'
ORGANISATION_NAME:
type: string
required: true
description: 'The Subscription ID which should be used.'
COMMIT_SHORT_SHA:
type: string
required: true
description: 'The Subscription ID which should be used.'
env:
SBOM: '${{ inputs.COMMIT_SHORT_SHA }}-patched-sbom.cdx.json'
IMAGE: '${{ inputs.REGISTRY }}/${{ inputs.ORGANISATION_NAME }}/cd-security-dev-demo:${{ inputs.COMMIT_SHORT_SHA }}-patched'
GHCR: '${{ inputs.REGISTRY }}/${{ inputs.ORGANISATION_NAME }}/cd-security-dev-demo'
jobs:
sign-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write # needed for publishing the patched image to the GitHub Container Registry
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Install Cosign
# https://github.com/sigstore/cosign-installer
uses: sigstore/cosign-installer@v3.6.0
- name: Install Crane
# https://github.com/imjasonh/setup-crane
uses: imjasonh/setup-crane@v0.4
- name: Get Digest
id: crane
run: |
DIGEST=$(crane digest ${{ env.IMAGE }})
echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
- name: Download SBOM artifact
uses: actions/download-artifact@v4
with:
name: '${{ env.SBOM }}'
- name: Login to GitHub Container Registry
id: login
uses: docker/login-action@v3.3.0
with:
registry: ${{ inputs.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Attach & sign SBOM
run: cosign attest --yes -predicate ${{ env.SBOM }} ${{ env.IMAGE }} --type=cyclonedx
- name: Sign the OCI artifact
run: cosign sign --yes '${{ env.GHCR }}@${{ steps.crane.outputs.DIGEST }}'