Skip to content

Commit

Permalink
ci: directly read private key from environment for Syft / Cosign
Browse files Browse the repository at this point in the history
  • Loading branch information
Nirusu committed Feb 3, 2023
1 parent e91a34d commit f246c70
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions .github/actions/container_sbom/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,7 @@ runs:
SYFT_ATTEST_PASSWORD: ${{ inputs.cosignPassword }} # Required for Syft 0.69.0+ as they overwrite COSIGN_PASSWORD
run: |
set -ex
echo "$COSIGN_PRIVATE_KEY" > cosign.key
syft attest --key cosign.key ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json
syft attest --key env://COSIGN_PRIVATE_KEY ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json
cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
# TODO: type should be auto-discovered after issue is resolved:
# https://github.com/sigstore/cosign/issues/2264
Expand Down

0 comments on commit f246c70

Please sign in to comment.