Skip to content

Commit

Permalink
Merge pull request #938 from imjasonh/sign-release
Browse files Browse the repository at this point in the history
Sign released images
  • Loading branch information
openshift-merge-robot authored Dec 9, 2021
2 parents d12bce7 + 271b783 commit 05251c4
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ jobs:
release:
if: ${{ github.repository == 'shipwright-io/build' }}
runs-on: ubuntu-latest
permissions:
id-token: write # To be able to get OIDC ID token to sign images.
contents: write # To be able to update releases.
packages: write # To be able to push images and signatures.
env:
IMAGE_HOST: ghcr.io
IMAGE_NAMESPACE: ${{ github.repository }}
Expand All @@ -29,6 +33,7 @@ jobs:

# Install tools
- uses: imjasonh/setup-ko@20b7695b536c640edfafdd378d96c760460f29d6
- uses: sigstore/[email protected]

- name: Build Release Changelog
env:
Expand Down Expand Up @@ -63,6 +68,19 @@ jobs:
gh release upload ${TAG} release.yaml
gh release upload ${TAG} sample-strategies.yaml
- name: Sign released images
env:
# This enables keyless mode
# (https://github.com/sigstore/cosign/blob/main/KEYLESS.md) which signs
# images using an ephemeral key tied to the GitHub Actions identity via
# OIDC.
COSIGN_EXPERIMENTAL: "true"
run: |
grep -o "ghcr.io[^\"]*" release.yaml | xargs cosign sign \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }}
- name: Update docs after release creation
env:
PREVIOUS_TAG: ${{ github.event.inputs.tags }}
Expand Down

0 comments on commit 05251c4

Please sign in to comment.