use image digest for signing

smartcontractkit · Aug 19, 2024 · 4a26958 · 4a26958
1 parent 7238d1f
commit 4a26958
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml
@@ -171,7 +171,9 @@ runs:
       run: |
         IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+        IMAGE_DIGEST=${{ fromJSON(steps.buildpush-root.outputs.metadata)['containerimage.digest'] }}
         echo "root_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "root_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
 
     - name: Generate docker metadata for non-root image
       id: meta-nonroot
@@ -217,6 +219,7 @@ runs:
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
         IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2)
         echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "nonroot_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
         echo '### Docker Image' >> $GITHUB_STEP_SUMMARY
         echo "Image Name: ${IMAGE_NAME}"  >> $GITHUB_STEP_SUMMARY
         echo "Image Digest: ${IMAGE_DIGEST}"  >> $GITHUB_STEP_SUMMARY
@@ -250,7 +253,7 @@ runs:
         COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
       run: |
         echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.root_image_name }}"
+        cosign sign --key cosign.key "${{ env.root_image_digest }}"
         rm -f cosign.key
 
     - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
@@ -265,7 +268,7 @@ runs:
       name: Sign the published root Docker image using keyless method
       shell: sh
       run: |
-        cosign sign "${{ env.root_image_name }}"
+        cosign sign "${{ env.root_image_digest }}"
 
     - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
       name: Verify the signature of the published root Docker image using keyless
@@ -282,7 +285,7 @@ runs:
         COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
       run: |
         echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
+        cosign sign --key cosign.key "${{ env.nonroot_image_digest }}"
         rm -f cosign.key
 
     - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
@@ -297,7 +300,7 @@ runs:
       name: Sign the published non-root Docker image using keyless method
       shell: sh
       run: |
-        cosign sign "${{ env.nonroot_image_name }}"
+        cosign sign "${{ env.nonroot_image_digest }}"
 
     - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
       name: Verify the signature of the published non-root Docker image using keyless