From 052f73f110e90e8a5c8a3f9eab4120c672eda95a Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Sun, 14 Aug 2022 14:21:21 +0200 Subject: [PATCH] Fix issue with signing the Docker image --- .github/workflows/build.yaml | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0a9f7b4..367ae73 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -69,30 +69,18 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: sigstore/cosign-installer@main - - name: Copy the cosign keys ๐Ÿ“‹ - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') - run: | - echo "$COSIGN_PRIVATE_KEY" > cosign.key - echo "$COSIGN_PUBLIC_KEY" > cosign.pub - shell: bash - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - - name: Sign the Docker image โœ๏ธ if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') - run: cosign sign --key cosign.key mostafamoradian/xk6-kafka:${{ steps.meta.outputs.tags }} + run: cosign sign --key env://COSIGN_PRIVATE_KEY mostafamoradian/xk6-kafka:${{ steps.meta.outputs.tags }} env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - name: Verify the Docker image signature โœ… if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') - run: cosign verify --key cosign.pub mostafamoradian/xk6-kafka:${{ steps.meta.outputs.tags }} - - - name: Remove the cosign keys ๐Ÿงน - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') - run: rm -rf cosign.key cosign.pub - shell: bash + run: cosign verify --key env://COSIGN_PUBLIC_KEY mostafamoradian/xk6-kafka:${{ steps.meta.outputs.tags }} + env: + COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - name: Scan code with Trivy vulnerability scanner ๐Ÿ” if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')