🌱 Signing scorecard images using cosign (#1970)

* --wip-- [skip ci] * 🌱 Signing scorecard images using cosign Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2024-11-04 03:52:31 +03:00 · 2022-05-31 11:42:32 -05:00 · 2022-05-31 11:42:32 -05:00 · 0eeb0c20cd
commit 0eeb0c20cd
parent 4a88dac00f
1 changed files with 12 additions and 5 deletions
--- a/.github/workflows/publishimage.yml
+++ b/.github/workflows/publishimage.yml
@ -30,22 +30,24 @@ jobs:
  unit-test:
    name: publishimage
    runs-on: ubuntu-latest
+    env:
+      COSIGN_EXPERIMENTAL: "true"
    steps:
     - name: Harden Runner
-       uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1
+       uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

     - name: Clone the code
-       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4
+       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b 
       with:
          fetch-depth: 0
     - name: Setup Go
-       uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+       uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 
       with:
         go-version: ${{ env.GO_VERSION }}
     - name: install ko
-       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
+       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675
     - name: publishimage
       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
       with:
@ -56,3 +58,8 @@ jobs:
            go env -w GOFLAGS=-mod=mod
            make install
            make scorecard-ko
+     - name: Install Cosign
+       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656
+     - name: Sign image
+       run: |
+          cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}