Skip to content

Commit

Permalink
ci: use cosign attest directly instead of syft attest
Browse files Browse the repository at this point in the history
  • Loading branch information
Nirusu committed Feb 21, 2023
1 parent b4b2f0e commit d3206ec
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .github/actions/container_sbom/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ runs:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
SYFT_ATTEST_PASSWORD: ${{ inputs.cosignPassword }} # Required for Syft 0.69.0+ as they overwrite COSIGN_PASSWORD
run: |
set -ex
syft attest --key env://COSIGN_PRIVATE_KEY ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json
syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
cosign attest --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type cyclonedx > container-image.att.json
cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
# TODO: type should be auto-discovered after issue is resolved:
# https://github.com/sigstore/cosign/issues/2264
Expand Down

0 comments on commit d3206ec

Please sign in to comment.