Skip to content

Bump sigstore/cosign-installer (#85) #49

Bump sigstore/cosign-installer (#85)

Bump sigstore/cosign-installer (#85) #49

Workflow file for this run

name: build-push
on:
push:
branches:
- main
workflow_dispatch:
# permission can be added at job level or workflows level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
packages: write # push to GHCR
jobs:
build:
name: build
runs-on: ubuntu-latest
strategy:
matrix:
image:
- github-issue-opener
- slack-webhook
- jira-issue-opener
- image-copy-gcr
- image-copy-ecr
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: '1.20'
check-latest: true
- run: go version
- name: Install Cosign
uses: sigstore/cosign-installer@37f387123cf7d4270454d0c351cf673ef28a8662 # v3.0.2
- name: Cosign login
shell: bash
run: |
cosign login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: ko login
shell: bash
run: |
ko login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
- name: Build
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
KO_DOCKER_REPO: ghcr.io/chainguard-dev/${{matrix.image}}
run: |
cd ${{matrix.image}}/cmd/app
ko build --image-refs=ko.images --bare .
echo "KO build $(cat ko.images)"
- name: Signing
env:
COSIGN_YES: true
run: |
echo "Signing $(cat ${{matrix.image}}/cmd/app/ko.images)"
cosign sign "$(cat ${{matrix.image}}/cmd/app/ko.images)"
- name: Sbom Attest
env:
COSIGN_YES: true
run: |
cosign download sbom "$(cat ${{matrix.image}}/cmd/app/ko.images)" --output-file bom.spdx.json
cosign attest --timeout=0 --type spdxjson --predicate bom.spdx.json "$(cat ${{matrix.image}}/cmd/app/ko.images)"
cosign verify-attestation --type spdxjson \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity "https://github.com/chainguard-dev/enforce-events/.github/workflows/build-push.yaml@refs/heads/main" \
"$(cat ${{matrix.image}}/cmd/app/ko.images)"