Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update examples #133

Merged
merged 2 commits into from
Jun 6, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 29 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This action currently supports GitHub-provided Linux, macOS and Windows runners
Add the following entry to your Github workflow YAML file:

```yaml
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@v3.0.5
with:
cosign-release: 'v2.0.2' # optional
```
Expand All @@ -22,15 +22,15 @@ Example using a pinned version:

```yaml
jobs:
test_cosign_action:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install Cosign and test presence in path
name: Install Cosign
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@v3.0.5
with:
cosign-release: 'v2.0.2'
- name: Check install!
Expand All @@ -41,15 +41,15 @@ Example using the default version:

```yaml
jobs:
test_cosign_action:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install Cosign and test presence in path
name: Install Cosign
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@v3.0.5
- name: Check install!
run: cosign version
```
Expand All @@ -60,7 +60,7 @@ Example of installing cosign via go install:

```yaml
jobs:
test_cosign_action:
example:
runs-on: ubuntu-latest

permissions: {}
Expand All @@ -73,7 +73,7 @@ jobs:
go-version: '1.20'
check-latest: true
- name: Install Cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@v3.0.5
with:
cosign-release: main
- name: Check install!
Expand All @@ -90,57 +90,64 @@ Example of a simple workflow:

```yaml
jobs:
test_cosign_action:
build-image:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token

name: Install Cosign and test presence in path
name: build-image
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v3.5.2
with:
fetch-depth: 1

- name: Install Cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@v3.0.5

- name: Set up QEMU
uses: docker/setup-qemu-action@v1
uses: docker/setup-qemu-action@v2.1.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v2.5.0

- name: Login to GitHub Container Registry
uses: docker/login-action@v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- id: docker_meta
uses: docker/metadata-action@v3.6.0
uses: docker/metadata-action@v4.4.0
with:
images: ghcr.io/sigstore/sample-honk
tags: type=sha,format=long

- name: Build and Push container images
uses: docker/build-push-action@v2
uses: docker/build-push-action@v4.0.0
with:
platforms: linux/amd64,linux/arm/v7,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}

# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- name: Sign image with a key
run: |
cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}"
env:
TAGS: ${{ steps.docker_meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
TAGS: ${{ steps.docker_meta.outputs.tags }}
run: cosign sign --yes ${TAGS}@${DIGEST}
run: cosign sign --yes "${TAGS}@${DIGEST}"
```

### Optional Inputs
Expand Down