Test attestation

2025-06-18 15:57:29 +02:00 · 2024-05-30 16:10:51 +09:00 · 2024-05-30 16:10:51 +09:00 · be314a90e8
commit be314a90e8
parent 8b52870aa5
1 changed files with 36 additions and 0 deletions
--- a/.github/workflows/images_build.yml
+++ b/.github/workflows/images_build.yml
@ -270,6 +270,22 @@ jobs:
          ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
          fetch-depth: 1
      - name: Install cosign
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
        with:
          cosign-release: 'v2.2.3'
      - name: Check cosign version
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        run: cosign version
      - name: Set up QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          image: tonistiigi/binfmt:latest
          platforms: all
      - name: Set up QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
@ -379,6 +395,26 @@ jobs:
          cache-from: ${{ steps.cache_data.outputs.cache_from }}
          cache-to: ${{ steps.cache_data.outputs.cache_to }}
      - name: Sign the images with GitHub OIDC Token
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        env:
          DIGEST: ${{ steps.docker_build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
            images=""
            for tag in ${TAGS}; do
                images+="${tag}@${DIGEST} "
            done
            echo "::group::Images to sign"
            echo "$images"
            echo "::endgroup::"
            echo "::group::Signing"
            echo "cosign sign --yes $images"
            cosign sign --yes ${images}
            echo "::endgroup::"
      - name: Attest images
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        id: attest