-
Notifications
You must be signed in to change notification settings - Fork 6
105 lines (98 loc) · 4.3 KB
/
verify.yml
File metadata and controls
105 lines (98 loc) · 4.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: verify
on:
workflow_call:
inputs:
builder-outputs:
type: string
description: "JSON build outputs from Docker GitHub Builder reusable workflows"
required: true
secrets:
registry-auths:
description: "Registry authentication details as YAML objects"
required: false
env:
DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.76.0"
jobs:
verify:
runs-on: ubuntu-24.04
steps:
-
name: Extract builder outputs
id: vars
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ inputs.builder-outputs }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));
const cosignVersion = builderOutputs['cosign-version'];
const cosignVerifyCommands = builderOutputs['cosign-verify-commands'];
const artifactName = builderOutputs['artifact-name'];
const outputType = builderOutputs['output-type'];
const signed = builderOutputs['signed'] === 'true';
if (!signed) {
core.warning('No signatures to verify, skipping verification steps');
} else if (!cosignVersion || !cosignVerifyCommands || !outputType || (outputType === 'local' && !artifactName)) {
core.setFailed('Missing required builder outputs for signature verification');
return;
}
core.setOutput('cosign-version', cosignVersion);
core.setOutput('cosign-verify-commands', cosignVerifyCommands);
core.setOutput('artifact-name', artifactName);
core.setOutput('output-type', outputType);
core.setOutput('signed', signed);
-
name: Install @docker/actions-toolkit
if: ${{ steps.vars.outputs.signed == 'true' }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }}
with:
script: |
await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
-
name: Install Cosign
if: ${{ steps.vars.outputs.signed == 'true' }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_COSIGN-VERSION: ${{ steps.vars.outputs.cosign-version }}
with:
script: |
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
const cosignInstall = new Install();
const cosignBinPath = await cosignInstall.download({
version: core.getInput('cosign-version'),
ghaNoCache: true,
skipState: true,
verifySignature: true
});
await cosignInstall.install(cosignBinPath);
const cosign = new Cosign();
await cosign.printVersion();
-
name: Login to registry
if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'image' }}
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
-
name: Download artifacts
if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }}
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ steps.vars.outputs.artifact-name }}
-
name: Verify signatures
if: ${{ steps.vars.outputs.signed == 'true' }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_COSIGN-VERIFY-COMMANDS: ${{ steps.vars.outputs.cosign-verify-commands }}
with:
script: |
for (const cmd of core.getMultilineInput('cosign-verify-commands')) {
await exec.exec(cmd);
}