Update push-docker only sigh fat and normal

This commit is contained in:
Anthony Stirling 2024-12-26 13:32:22 +00:00 committed by GitHub
parent db1fa28230
commit 0f24fa104e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -41,6 +41,7 @@ jobs:
DOCKER_ENABLE_SECURITY: false DOCKER_ENABLE_SECURITY: false
- name: Install cosign - name: Install cosign
if: github.ref == 'refs/heads/master'
uses: sigstore/cosign-installer@v3.7.0 uses: sigstore/cosign-installer@v3.7.0
with: with:
cosign-release: 'v2.4.1' cosign-release: 'v2.4.1'
@ -105,32 +106,19 @@ jobs:
sbom: true sbom: true
- name: Sign regular images - name: Sign regular images
if: github.ref == 'refs/heads/master'
env: env:
DIGEST: ${{ steps.build-push-regular.outputs.digest }} DIGEST: ${{ steps.build-push-regular.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }} TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: | run: |
# Always sign images regardless of branch
echo "$TAGS" | tr ',' '\n' | while read -r tag; do echo "$TAGS" | tr ',' '\n' | while read -r tag; do
cosign sign --yes \ cosign sign --yes \
--key env://COSIGN_PRIVATE_KEY \ --key env://COSIGN_PRIVATE_KEY \
"${tag}@${DIGEST}" "${tag}@${DIGEST}"
done done
# For alpha builds specifically, we want to ensure they're marked as development builds
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
echo "Signing alpha build with development attestation"
echo "$TAGS" | tr ',' '\n' | while read -r tag; do
if [[ $tag == *":alpha" ]]; then
cosign attest --key env://COSIGN_PRIVATE_KEY \
--predicate <(echo '{"type":"development"}') \
--yes "${tag}@${DIGEST}"
fi
done
fi
- name: Generate tags ultra-lite - name: Generate tags ultra-lite
id: meta2 id: meta2
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
@ -162,18 +150,6 @@ jobs:
provenance: true provenance: true
sbom: true sbom: true
- name: Sign ultra-lite images
if: github.ref != 'refs/heads/main'
env:
DIGEST: ${{ steps.build-push-lite.outputs.digest }}
TAGS: ${{ steps.meta2.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
echo "$TAGS" | tr ',' '\n' | while read -r tag; do
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
done
- name: Generate tags fat - name: Generate tags fat
id: meta3 id: meta3
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
@ -207,7 +183,7 @@ jobs:
sbom: true sbom: true
- name: Sign fat images - name: Sign fat images
if: github.ref != 'refs/heads/main' if: github.ref == 'refs/heads/master'
env: env:
DIGEST: ${{ steps.build-push-fat.outputs.digest }} DIGEST: ${{ steps.build-push-fat.outputs.digest }}
TAGS: ${{ steps.meta3.outputs.tags }} TAGS: ${{ steps.meta3.outputs.tags }}