mirror of
https://github.com/docker/build-push-action.git
synced 2025-06-29 20:44:15 +00:00
WIP: enable signing with cosign
Signed-off-by: Jason Hall <jason@chainguard.dev>
This commit is contained in:
Jason Hall
parent
fdf7f43ecf
commit
898ec8408f
6 changed files with 98 additions and 3 deletions
|
|
@ -38,6 +38,7 @@ export interface Inputs {
|
|||
target: string;
|
||||
ulimit: string[];
|
||||
githubToken: string;
|
||||
sign: boolean;
|
||||
}
|
||||
|
||||
export async function getInputs(): Promise<Inputs> {
|
||||
|
|
@ -72,7 +73,8 @@ export async function getInputs(): Promise<Inputs> {
|
|||
tags: Util.getInputList('tags'),
|
||||
target: core.getInput('target'),
|
||||
ulimit: Util.getInputList('ulimit', {ignoreComma: true}),
|
||||
githubToken: core.getInput('github-token')
|
||||
githubToken: core.getInput('github-token'),
|
||||
sign: core.getBooleanInput('sign')
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
|||
43
src/main.ts
43
src/main.ts
|
|
@ -2,6 +2,7 @@ import * as fs from 'fs';
|
|||
import * as path from 'path';
|
||||
import * as stateHelper from './state-helper';
|
||||
import * as core from '@actions/core';
|
||||
import * as io from '@actions/io';
|
||||
import * as actionsToolkit from '@docker/actions-toolkit';
|
||||
import {Context} from '@docker/actions-toolkit/lib/context';
|
||||
import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
|
||||
|
|
@ -104,6 +105,48 @@ actionsToolkit.run(
|
|||
core.setOutput('metadata', metadata);
|
||||
});
|
||||
}
|
||||
|
||||
if (inputs.sign) {
|
||||
// TODO: Check if `id-token: write` is specified and ID token is available.
|
||||
|
||||
// Check if cosign is installed.
|
||||
const cosignAvailable = await io
|
||||
.which('cosign', true)
|
||||
.then(res => {
|
||||
core.debug(`cosignAvailable ok: ${res}`);
|
||||
return true;
|
||||
})
|
||||
.catch(error => {
|
||||
core.debug(`cosignAvailable error: ${error}`);
|
||||
return false;
|
||||
});
|
||||
if (!cosignAvailable) {
|
||||
core.setFailed(`Cosign is required to sign. See https://github.com/sigstore/cosign-installer to set up cosign.`);
|
||||
return;
|
||||
}
|
||||
|
||||
await core.group(`Cosign version`, async () => {
|
||||
await Exec.getExecOutput('cosign', ['version'], {
|
||||
ignoreReturnCode: true
|
||||
}).then(res => {
|
||||
if (res.stderr.length > 0 && res.exitCode != 0) {
|
||||
throw new Error(`cosign version failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
if (!digest) {
|
||||
throw new Error('Digest is required to sign.');
|
||||
}
|
||||
|
||||
for (const img of inputs.tags) {
|
||||
const ref = `${img}@${digest}`;
|
||||
await core.group(`Signing image ${ref}`, async () => {
|
||||
// TODO: Annotate with workflow run ID, etc, from env vars.
|
||||
await Exec.exec('cosign', ['sign', ref, '--yes']);
|
||||
});
|
||||
}
|
||||
}
|
||||
},
|
||||
// post
|
||||
async () => {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue