Skip to content

Commit 40a3e61

Browse files
34fathombelowcrenshaw-dev
34fathombelow
authored and
crenshaw-dev
committed
fix: sign container images by digest (#11151)
* chore: sign container images by digest Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * use sha hash Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
1 parent cd6bac9 commit 40a3e61

File tree

2 files changed

+14
-5
lines changed

2 files changed

+14
-5
lines changed

.github/workflows/image.yaml

+6-2
Original file line numberDiff line numberDiff line change
@@ -71,11 +71,15 @@ jobs:
7171
- name: Install cosign
7272
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
7373
with:
74-
cosign-release: 'v1.13.0'
74+
cosign-release: 'v1.13.1'
75+
76+
- name: Install crane to get digest of image
77+
uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
7578

7679
- name: Sign Argo CD latest image
7780
run: |
78-
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
81+
echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV
82+
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
7983
# Displays the public key to share.
8084
cosign public-key --key env://COSIGN_PRIVATE_KEY
8185
env:

.github/workflows/release.yaml

+8-3
Original file line numberDiff line numberDiff line change
@@ -218,12 +218,17 @@ jobs:
218218
- name: Install cosign
219219
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
220220
with:
221-
cosign-release: 'v1.13.0'
221+
cosign-release: 'v1.13.1'
222+
223+
- name: Install crane to get digest of image
224+
uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
222225

223226
- name: Sign Argo CD container images
224227
run: |
225-
cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
226-
cosign sign --key env://COSIGN_PRIVATE_KEY docker.io/argoproj/argocd:v${TARGET_VERSION}
228+
echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV
229+
cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
230+
cosign sign --key env://COSIGN_PRIVATE_KEY docker.io/argoproj/argocd:${{ env.IMAGE_DIGEST }}
231+
cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
227232
# Retrieves the public key to release as an asset
228233
cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
229234
env:

0 commit comments

Comments
 (0)