Skip to content

Commit

Permalink
fix(actions): Pass registry token and GitHub token when signing
Browse files Browse the repository at this point in the history
  • Loading branch information
EyeCantCU committed Dec 18, 2023
1 parent a10cd8a commit 1696915
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 5 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/test-actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,8 @@ jobs:
with:
container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
registry: ghcr.io
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: ${{ steps.push.outputs.digest }}

- name: Verify image
Expand Down
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ These actions exist to further automate the usage of sigstore's 'cosign'.

The 'sign' action signs the target container using a private key stored as a repository secret. The secret must be named `SIGNING_SECRET`. It is the private key generated by 'cosign' when creating a key pair.

Example implementation:
Example implementation for GHCR:

```yaml
jobs:
Expand All @@ -24,14 +24,16 @@ jobs:
with:
container: ghcr.io/ublue-os/silverblue-main
registry: ghcr.io
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: latest
```
## Verify
The 'verify' action validates the target container's signature via the public key. For example, for Universal Blue, this is the `cosign.pub` file stored in the root of all image repositories.

Example implementation:
Example implementation for GHCR:

```yaml
jobs:
Expand Down
11 changes: 8 additions & 3 deletions sign/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@ inputs:
registry:
description: 'Registry hosting the target container'
required: true
registry-token:
description: 'Password for container registry'
required: true
signing-secret:
description: 'Private key used to sign target container.'
required: true
tags:
description: 'Tags used by target container'
required: true
Expand All @@ -19,7 +25,7 @@ runs:
with:
registry: ${{ inputs.registry }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
password: ${{ inputs.registry-token }}

# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
Expand All @@ -34,8 +40,7 @@ runs:

- name: Sign container image
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ inputs.container }}@${TAGS}
cosign sign -y --key ${{ inputs.signing-secret }} ${{ inputs.container }}@${TAGS}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
TAGS: ${{ inputs.tags }}

0 comments on commit 1696915

Please sign in to comment.