@@ -52,19 +52,36 @@ jobs:
5252 DIGEST : ${{ steps.build-and-push.outputs.digest }}
5353 TAGS : ${{ steps.meta.outputs.tags }}
5454 run : |
55+ set -euo pipefail
56+ [ -n "${DIGEST:-}" ] || { echo "No digest found"; exit 1; }
5557 images=""
56- for tag in ${TAGS}; do
58+ while IFS= read -r tag; do
59+ tag="$(echo "$tag" | xargs)" # trim whitespace
60+ [ -z "$tag" ] && continue
5761 images+="${tag}@${DIGEST} "
58- done
59- cosign sign --yes ${images}
62+ done < <(echo "${TAGS:-}" | tr ',' '\n')
63+ echo "Signing: $images"
64+ cosign sign --yes $images
6065
6166name : Verify signatures
6267 env :
6368 DIGEST : ${{ steps.build-and-push.outputs.digest }}
6469 TAGS : ${{ steps.meta.outputs.tags }}
6570 run : |
71+ set -euo pipefail
72+ [ -n "${DIGEST:-}" ] || { echo "No digest found"; exit 1; }
6673 images=""
67- for tag in ${TAGS}; do
74+ while IFS= read -r tag; do
75+ tag="$(echo "$tag" | xargs)"
76+ [ -z "$tag" ] && continue
6877 images+="${tag}@${DIGEST} "
69- done
70- cosign verify ${images}
78+ done < <(echo "${TAGS:-}" | tr ',' '\n')
79+
80+ CERT_ID="https://github.com/${{ github.repository }}/.github/workflows/publish.yml@${{ github.ref }}"
81+ CERT_ISSUER="https://token.actions.githubusercontent.com"
82+
83+ echo "Verifying: $images"
84+ cosign verify \
85+ --certificate-identity="${CERT_ID}" \
86+ --certificate-oidc-issuer="${CERT_ISSUER}" \
87+ $images
0 commit comments