Skip to content

Commit

Permalink
update slsa
Browse files Browse the repository at this point in the history
  • Loading branch information
mchmarny committed May 5, 2023
1 parent a9d9652 commit 38201ae
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 20 deletions.
1 change: 0 additions & 1 deletion .github/workflows/on-tag-img.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,6 @@ jobs:
auth_user: ${{ needs.conf.outputs.service_account }}
cosign_version: ${{ needs.conf.outputs.cosign_version }}
image_digest: ${{ needs.image.outputs.digest }}
scan_severity: ${{ needs.conf.outputs.err_on_vulnerability_sev }}

provenance:
needs:
Expand Down
22 changes: 4 additions & 18 deletions .github/workflows/sign.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,6 @@ on:
description: 'The version of cosign to use'
required: true
type: string
scan_severity:
description: 'Error on vulnerability scan severity'
required: true
type: string

permissions:
contents: read
Expand Down Expand Up @@ -51,35 +47,25 @@ jobs:

- name: Auth Cosign
run: |
set -euo pipefail
cosign version
reg=$(echo ${{ inputs.image_digest }} | cut -d/ -f1)
cosign login ${reg} --username=oauth2accesstoken --password=${{ steps.auth.outputs.access_token }}
- name: Generate Keys
run: |
set -euo pipefail
COSIGN_PASSWORD=$(openssl rand -base64 12)
cosign generate-key-pair
- name: Attest Image
- name: Sign Image
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_YES: true
run: |
set -euo pipefail
cosign sign ${{ inputs.image_digest }} \
--force \
--key cosign.key \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
-a tag=${{ env.GITHUB_REF_NAME }}
- name: Attest Image
env:
COSIGN_EXPERIMENTAL: "true"
- name: Verify Signature
run: |
set -euo pipefail
cosign verify \
--key cosign.pub \
${{ inputs.image_digest }}
cosign verify --key cosign.pub ${{ inputs.image_digest }}
1 change: 0 additions & 1 deletion .github/workflows/slsa.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ jobs:
# SLSA provenance verification using slsa-verifier.
- name: Verify SLSA Provenance
run: |-
set -euo pipefail
slsa-verifier version
slsa-verifier verify-image ${{ inputs.image_digest }} \
--source-uri "github.com/$GITHUB_REPOSITORY" \
Expand Down

0 comments on commit 38201ae

Please sign in to comment.