From 0eeb0c20cd570937b77fe54c496c804df5bf0507 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 31 May 2022 11:42:32 -0500 Subject: [PATCH] =?UTF-8?q?=F0=9F=8C=B1=20Signing=20scorecard=20images=20u?= =?UTF-8?q?sing=20cosign=20(#1970)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * --wip-- [skip ci] * :seedling: Signing scorecard images using cosign Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/publishimage.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index 69e95bcb..1d3964f3 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -22,7 +22,7 @@ permissions: on: push: branches: - - main + - main env: GO_VERSION: 1.17.7 @@ -30,22 +30,24 @@ jobs: unit-test: name: publishimage runs-on: ubuntu-latest + env: + COSIGN_EXPERIMENTAL: "true" steps: - name: Harden Runner - uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1 + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0 + uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 with: go-version: ${{ env.GO_VERSION }} - name: install ko - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4 + uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 - name: publishimage uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c with: @@ -56,3 +58,8 @@ jobs: go env -w GOFLAGS=-mod=mod make install make scorecard-ko + - name: Install Cosign + uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 + - name: Sign image + run: | + cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}