Merge pull request #1491 from fluxcd/cosign

ci: update cosign signing
fluxcd · Aug 28, 2023 · 7af4498 · 7af4498
2 parents 5a809d7 + 7cce4fd
commit 7af4498
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/.github/workflows/push-ld.yml b/.github/workflows/push-ld.yml
@@ -43,6 +43,7 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish image
+        id: build-push
         uses: docker/build-push-action@v4
         with:
           push: true
@@ -58,4 +59,4 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -59,6 +59,7 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish image
+        id: build-push
         uses: docker/build-push-action@v4
         with:
           sbom: true
@@ -76,7 +77,7 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
       - name: Publish Helm charts
         if: startsWith(github.ref, 'refs/tags/v')
         uses: stefanprodan/helm-gh-pages@v1.7.0
@@ -93,19 +94,22 @@ jobs:
           COSIGN_EXPERIMENTAL: 1
         run: |
           helm package charts/flagger
-          helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts
-          cosign sign ghcr.io/fluxcd/charts/flagger:${{ steps.prep.outputs.VERSION }}
+          digest = $(helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts | awk '/Digest:/ {print $2}' | tr -d '\n' | xargs)
+          cosign sign --yes ghcr.io/fluxcd/charts/flagger@${{ digest }}
           rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
       - name: Publish signed manifests to GHCR
         if: startsWith(github.ref, 'refs/tags/v')
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          flux push artifact oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
-          --path="./kustomize" \
-          --source="$(git config --get remote.origin.url)" \
-          --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
-          cosign sign ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }}
+          digest_url = $(flux push artifact \
+            oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
+            --output json | \
+            jq -r '. | .repository + "@" + .digest')
+          cosign sign --yes ${{ digest_url }}
       - uses: anchore/sbom-action/download-syft@v0
       - name: Create release and SBOM
         uses: goreleaser/goreleaser-action@v4