-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(sign-blob): make path use more complex to handle also regex
- Loading branch information
1 parent
9aaac24
commit e64ae7f
Showing
1 changed file
with
39 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,29 +1,56 @@ | ||
| name: "[Ledger Security] Sign an blob" | ||
| description: "This action is used to sign a blob in keyless mode based on Github OIDC token." | ||
| name: "[Ledger Security] Sign blobs" | ||
| description: "This action is used to sign blobs in keyless mode based on Github OIDC token." | ||
|
|
||
| inputs: | ||
| path: | ||
| description: 'Path to the artifact or directory with artifacts to sign' | ||
| description: 'Path to the artifact, directory, or regex pattern to match files for signing' | ||
| required: true | ||
| default: "" | ||
|
|
||
|
|
||
| runs: | ||
| using: "composite" | ||
| steps: | ||
| - name: Install Cosign | ||
| uses: sigstore/cosign-installer@v3 | ||
| - name: Sign blob | ||
|
|
||
| - name: Validate Path and Sign Blobs | ||
| shell: bash | ||
| run: | | ||
| # Check if the path exists | ||
| if [[ ! -e "${{ inputs.path }}" ]]; then | ||
| echo "Error: The specified path '${{ inputs.path }}' does not exist." | ||
| exit 1 | ||
| fi | ||
| # Check if it's a directory | ||
| if [[ -d "${{ inputs.path }}" ]]; then | ||
| for file in ${{ inputs.path }}/*; do | ||
| cosign sign-blob --yes "$file" --bundle "$file.cosign.bundle" | ||
| done | ||
| # Loop through all files in the directory | ||
| for file in ${{ inputs.path }}/*; do | ||
| if [[ -f "$file" ]]; then | ||
| echo "Signing file: $file" | ||
| cosign sign-blob --yes "$file" --output-signature "${file}.sig" --bundle "${file}.bundle" | ||
| else | ||
| echo "Warning: Skipping non-file: $file" | ||
| fi | ||
| done | ||
| # Check if it's a regex pattern (glob pattern) and find matching files | ||
| elif [[ -n $(echo "${{ inputs.path }}" | grep -E '*|?') ]]; then | ||
| matching_files=$(find . -type f -name "${{ inputs.path }}") | ||
| if [[ -z "$matching_files" ]]; then | ||
| echo "Error: No files found matching pattern '${{ inputs.path }}'" | ||
| exit 1 | ||
| fi | ||
| for file in $matching_files; do | ||
| echo "Signing file: $file" | ||
| cosign sign-blob --yes "$file" --output-signature "${file}.sig" --bundle "${file}.bundle" | ||
| done | ||
| # Handle single file | ||
| elif [[ -f "${{ inputs.path }}" ]]; then | ||
| cosign sign-blob --yes ${{ inputs.path }} --bundle ${{ inputs.path }}.cosign.bundle | ||
| echo "Signing single file: ${{ inputs.path }}" | ||
| cosign sign-blob --yes "${{ inputs.path }}" --output-signature "${{ inputs.path }}.sig" --bundle "${{ inputs.path }}.bundle" | ||
| else | ||
| echo "Invalid path provided" | ||
| exit 1 | ||
| echo "Error: '${{ inputs.path }}' is neither a valid file nor a directory." | ||
| exit 1 | ||
| fi | ||
| # TODO: Upload the signature to the artifact store | ||
| # TODO: Upload the signatures and bundle files to the artifact store |