Sign ghcr/prod images using digest and not tag

Signed-off-by: Furkat Gofurov <furkat.gofurov@suse.com>
rancher · Oct 20, 2023 · 22242f3 · 22242f3
1 parent 702d1b7
commit 22242f3
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -90,16 +90,23 @@ jobs:
           username: ${{ env.USERNAME }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - uses: sigstore/cosign-installer@v3.1.2
+      - name: Obtain ghcr image digest
+        id: ghcr-digest
+        run: |
+          # Pull the ghcr image to get the digest
+          docker pull ${{ matrix.images.image }}
+          # Extract and save the digest to an output variable
+          echo "::set-output name=ghcr-digest::$(docker inspect --format='{{index .RepoDigests 0}}' ${{ matrix.images.image }})"
       - name: Sign manifests
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes ${{ matrix.images.image }}
+          cosign sign --yes ${{ steps.ghcr-digest.outputs.ghcr-digest }}
       - name: Verify pushed ghcr images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          cosign verify ${{ steps.ghcr-digest.outputs.ghcr-digest }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 
   ghcr-provenance:
     needs: [build-ghcr, ghcr-sign]
@@ -212,16 +219,23 @@ jobs:
           username: ${{ env.PROD_USERNAME }}
           password: ${{ env.PROD_PASSWORD }}
       - uses: sigstore/cosign-installer@v3.1.2
+      - name: Obtain prod image digest
+        id: prod-digest
+        run: |
+          # Pull the prod image to get the digest
+          docker pull ${{ matrix.images.image }}
+          # Extract and save the digest to an output variable
+          echo "::set-output name=prod-digest::$(docker inspect --format='{{index .RepoDigests 0}}' ${{ matrix.images.image }})"
       - name: Sign manifests
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes ${{ matrix.images.image }}
+          cosign sign --yes ${{ steps.prod-digest.outputs.prod-digest }}
       - name: Verify pushed ghcr images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          cosign verify ${{ steps.prod-digest.outputs.prod-digest }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 
   prod-provenance:
     needs: [build-prod, prod-sign]