Skip to content

EyeCantCU/cosign-action

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cosign-action

These actions exist to further automate the usage of sigstore's 'cosign'.

Actions

Sign

The 'sign' action signs the target container(s) using a private key stored as a repository secret. It is the private key generated by 'cosign' when creating a key pair.

Example implementation for GHCR:

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Sign container with Cosign
    steps:
      - name: Sign container
        uses: EyeCantCU/cosign-action/[email protected]
        with:
          containers: silverblue-main, kinoite-main
          registry: ghcr.io/ublue-os
          registry-token: ${{ secrets.GITHUB_TOKEN }}
          signing-secret: ${{ secrets.SIGNING_SECRET }}
          tags: latest

Verify

The 'verify' action validates the target containers' signature via the public key. For example, for Universal Blue, this is the cosign.pub file stored in the root of all image repositories.

Example implementation for verifying against a public key:

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Verify container with Cosign
    steps:
      - name: Verify container
        uses: EyeCantCU/cosign-action/[email protected]
        with:
          containers: silverblue-main:latest, kinoite-main:latest
          registry: ghcr.io/ublue-os
          pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub

Example implementation for verifying against a certificate:

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Verify container with Cosign
    steps:
      - name: Verify container
        uses: EyeCantCU/cosign-action/[email protected]
        with:
          containers: bash, busybox, caddy
          registry: cgr.dev/chainguard
          cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
          oidc-issuer: https://token.actions.githubusercontent.com

While not recommended, you may also opt to fail verification silently without disrupting your workflow by setting fail-silently: 'true'.