Skip to content

Commit 164aeb9

Browse files
authored
Use SHA for signing and do not upload SBOM as part of docker release/build (#11)
Signed-off-by: Erick Bourgeois <erick@jeb.ca>
1 parent e397441 commit 164aeb9

1 file changed

Lines changed: 9 additions & 6 deletions

File tree

.github/workflows/build.yaml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -385,14 +385,16 @@ jobs:
385385

386386
# Push to main and release: sign the image with Cosign (keyless, Sigstore).
387387
# PR images are ephemeral and not deployed, so signing them is skipped.
388+
# Sign by digest (not tag) to guarantee we sign exactly what was pushed.
389+
- name: Install Cosign
390+
if: github.event_name != 'pull_request'
391+
uses: sigstore/cosign-installer@v3
392+
388393
- name: Sign container image with Cosign
389394
if: github.event_name != 'pull_request'
390-
uses: firestoned/github-actions/security/cosign-sign@v1.3.6
391-
with:
392-
image-digest: ${{ steps.docker_build.outputs.digest }}
393-
image-tags: ${{ matrix.variant.image-tag }}
394-
registry: ghcr.io
395-
repository: ${{ matrix.variant.image-repository }}
395+
run: |
396+
cosign sign --yes \
397+
ghcr.io/${{ matrix.variant.image-repository }}@${{ steps.docker_build.outputs.digest }}
396398
397399
# Release only: generate a CycloneDX SBOM for the published image.
398400
- name: Generate Docker SBOM for ${{ matrix.variant.name }}
@@ -402,6 +404,7 @@ jobs:
402404
image: ghcr.io/${{ matrix.variant.image-repository }}:${{ matrix.variant.image-tag }}
403405
format: cyclonedx-json
404406
output-file: docker-sbom-${{ matrix.variant.name }}.json
407+
upload-release-assets: false
405408

406409
- name: Upload Docker SBOM as artifact
407410
if: github.event_name == 'release'

0 commit comments

Comments
 (0)