Skip to content

Commit

Permalink
use intermediate environment variables to avoid risks of script injec…
Browse files Browse the repository at this point in the history
…tion (#122)

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
  • Loading branch information
developer-guy authored May 16, 2023
1 parent 84448ba commit 46b5db7
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,16 +126,21 @@ jobs:
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- name: Sign image with a key
run: |
cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
env:
TAGS: ${{ steps.docker_meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
- name: Sign the images with GitHub OIDC Token
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
TAGS: ${{ steps.docker_meta.outputs.tags }}
run: echo "${TAGS}" | xargs -I {} cosign sign {}@${DIGEST}
```

### Optional Inputs
Expand Down

0 comments on commit 46b5db7

Please sign in to comment.