-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
38 lines (35 loc) · 1.87 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: "[Ledger Security] Sign container image"
description: |
The `sign-container` GitHub Action provides secure, keyless signing of container images with multiple tags using OIDC authentication based on GitHub's OIDC token. This action allows developers to sign container images without manually managing sensitive signing keys, enhancing the trust and integrity of containerized applications.
Designed for seamless integration within Ledger's CI/CD pipeline, the `sign-container` action automates the container signing process, ensuring that container images are securely signed and verifiable. By incorporating secure signing into your container deployment workflow, it helps protect against unauthorized modifications and ensures compliance with container security policies.
inputs:
tags:
description: 'List of tags to sign (based on the output of the docker/metadata-action)'
required: true
default: ""
digest:
description: 'Digest of the container image to sign (based on the output of the docker/build-push-action)'
required: true
default: ""
runs:
using: "composite"
steps:
- name: Check if repository is public (signature are leaking private information)
if: ${{ github.event.repository.visibility != 'public' }}
shell: bash
run: echo "This action only runs on public repositories. To avoid leaking private information, the action will be stopped."
- name: Install Cosign
if: ${{ github.event.repository.visibility == 'public' }}
uses: sigstore/cosign-installer@v3
- name: Sign containers images
if: ${{ github.event.repository.visibility == 'public' }}
shell: bash
env:
TAGS: ${{ inputs.tags }}
DIGEST: ${{ inputs.digest }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}