github-workflow-parts/actions/cosign/sign/action.yml at main · devpro/github-workflow-parts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: Sign a container image
description: |
  Make sure to add (needed by cosign):
  ```
  permissions:
    id-token: write
    contents: read
  ```

inputs:
  cosign-version:
    description: Version of cosign (check latest from https://github.com/sigstore/cosign/releases)
    required: false
    default: 'v3.0.6'
  image-name:
    description: Image name
    required: true
  image-path:
    description: Image path
    required: true
  image-tag:
    description: Image tag
    required: true
  readonly:
    description: If true, skip the signing step
    required: false
    default: 'false'

runs:
  using: "composite"
  steps:
    - name: Install Cosign
      run: |
        echo "Downloading Cosign binary and checksums..."
        curl -sL -O https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${COSIGN_BINARY}
        curl -sL -O "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${COSIGN_CHECKSUM_FILE}"

        echo "Verifying checksum..."
        grep "${COSIGN_BINARY}$" "${COSIGN_CHECKSUM_FILE}" | sha256sum --check --status

        if [ $? -eq 0 ]; then
          echo "Verification successful!"
          rm $COSIGN_CHECKSUM_FILE
          chmod +x $COSIGN_BINARY
          sudo mv $COSIGN_BINARY /usr/local/bin/cosign
          cosign version
        else
          echo "ERROR: Checksum verification failed!" >&2
          exit 1
        fi
      shell: bash
      env:
        COSIGN_BINARY: cosign-linux-amd64
        COSIGN_CHECKSUM_FILE: cosign_checksums.txt
        COSIGN_VERSION: ${{ inputs.cosign-version }}
    - name: Get image digest
      id: digest
      run: |
        DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }} | cut -d'@' -f2)
        echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
      shell: bash
    - name: Sign image with Cosign
      if: inputs.readonly != 'true'
      env:
        COSIGN_EXPERIMENTAL: 1
      run: |
        cosign sign --yes ${{ inputs.image-path }}/${{ inputs.image-name }}@${{ steps.digest.outputs.DIGEST }}
      shell: bash