From af59453d7c2792a6a3cecabd4927e112b1142634 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Wed, 15 Apr 2026 16:25:17 +0200 Subject: [PATCH 1/3] Replace sigstore action for cosign with a script --- actions/cosign/sign/action.yml | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/actions/cosign/sign/action.yml b/actions/cosign/sign/action.yml index 85611c7..4848af0 100644 --- a/actions/cosign/sign/action.yml +++ b/actions/cosign/sign/action.yml @@ -8,6 +8,10 @@ description: | ``` inputs: + cosign-version: + description: Version of cosign (check latest from https://github.com/sigstore/cosign/releases) + required: false + default: 'v3.0.6' image-name: description: Image name required: true @@ -22,9 +26,29 @@ runs: using: "composite" steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.0.0 - with: - cosign-release: 'v3.0.3' + run: | + echo "Downloading Cosign binary and checksums..." + curl -sL -O https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${COSIGN_BINARY} + curl -sL -O "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${COSIGN_CHECKSUM_FILE}" + + echo "Verifying checksum..." + grep "${COSIGN_BINARY}$" "${COSIGN_CHECKSUM_FILE}" | sha256sum --check --status + + if [ $? -eq 0 ]; then + echo "Verification successful!" + rm $COSIGN_CHECKSUM_FILE + chmod +x $COSIGN_BINARY + sudo mv $COSIGN_BINARY /usr/local/bin/cosign + cosign version + else + echo "ERROR: Checksum verification failed!" >&2 + exit 1 + fi + shell: bash + env: + COSIGN_BINARY: cosign-linux-amd64 + COSIGN_CHECKSUM_FILE: cosign_checksums.txt + COSIGN_VERSION: ${{ inputs.cosign-version }} - name: Get image digest id: digest run: | From a47ed0ed5e18739e0fa0cfafa41b0f098773054f Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Wed, 15 Apr 2026 16:38:55 +0200 Subject: [PATCH 2/3] Add test for cosign --- .github/workflows/ci.yml | 17 +++++++++++++++++ actions/cosign/sign/action.yml | 5 +++++ 2 files changed, 22 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee4192d..b2dfb4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,3 +14,20 @@ jobs: markup-lint: name: Markup uses: ./.github/workflows/reusable-markup-lint.yml + + validate-cosign: + name: Validate / Cosign + runs-on: ubuntu-latest + steps: + - name: Clone repository + uses: actions/checkout@v6 + - name: Cosign Alpine (Read-only) + uses: ./actions/cosign/sign + with: + image-name: 'alpine' + image-path: 'docker.io/library' + image-tag: 'latest' + readonly: 'true' + permissions: + id-token: write + contents: read diff --git a/actions/cosign/sign/action.yml b/actions/cosign/sign/action.yml index 4848af0..7fe39b6 100644 --- a/actions/cosign/sign/action.yml +++ b/actions/cosign/sign/action.yml @@ -21,6 +21,10 @@ inputs: image-tag: description: Image tag required: true + readonly: + description: If true, skip the signing step + required: false + default: 'false' runs: using: "composite" @@ -56,6 +60,7 @@ runs: echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT shell: bash - name: Sign image with Cosign + if: inputs.readonly != 'true' env: COSIGN_EXPERIMENTAL: 1 run: | From c967224f15bd68f6133265aa89007763037b2ef7 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Wed, 15 Apr 2026 16:44:38 +0200 Subject: [PATCH 3/3] Update test --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2dfb4b..bf3d4a2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,11 +21,13 @@ jobs: steps: - name: Clone repository uses: actions/checkout@v6 - - name: Cosign Alpine (Read-only) + - name: Pull Alpine image + run: docker pull ghcr.io/linuxcontainers/alpine:latest + - name: Cosign Alpine image (read-only) uses: ./actions/cosign/sign with: image-name: 'alpine' - image-path: 'docker.io/library' + image-path: 'ghcr.io/linuxcontainers' image-tag: 'latest' readonly: 'true' permissions: