Skip to content

Update cosign action #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
devpro merged 3 commits into from
Apr 15, 2026
Merged

Update cosign action #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
af59453
Replace sigstore action for cosign with a script
devpro Apr 15, 2026
a47ed0e
Add test for cosign
devpro Apr 15, 2026
c967224
Update test
devpro Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,22 @@ jobs:
markup-lint:
name: Markup
uses: ./.github/workflows/reusable-markup-lint.yml

validate-cosign:
name: Validate / Cosign
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v6
- name: Pull Alpine image
run: docker pull ghcr.io/linuxcontainers/alpine:latest
- name: Cosign Alpine image (read-only)
uses: ./actions/cosign/sign
with:
image-name: 'alpine'
image-path: 'ghcr.io/linuxcontainers'
image-tag: 'latest'
readonly: 'true'
permissions:
id-token: write
contents: read
35 changes: 32 additions & 3 deletions actions/cosign/sign/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ description: |
```

inputs:
cosign-version:
description: Version of cosign (check latest from https://github.com/sigstore/cosign/releases)
required: false
default: 'v3.0.6'
image-name:
description: Image name
required: true
Expand All @@ -17,21 +21,46 @@ inputs:
image-tag:
description: Image tag
required: true
readonly:
description: If true, skip the signing step
required: false
default: 'false'

runs:
using: "composite"
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v4.0.0
with:
cosign-release: 'v3.0.3'
run: |
echo "Downloading Cosign binary and checksums..."
curl -sL -O https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${COSIGN_BINARY}
curl -sL -O "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${COSIGN_CHECKSUM_FILE}"

echo "Verifying checksum..."
grep "${COSIGN_BINARY}$" "${COSIGN_CHECKSUM_FILE}" | sha256sum --check --status

if [ $? -eq 0 ]; then
echo "Verification successful!"
rm $COSIGN_CHECKSUM_FILE
chmod +x $COSIGN_BINARY
sudo mv $COSIGN_BINARY /usr/local/bin/cosign
cosign version
else
echo "ERROR: Checksum verification failed!" >&2
exit 1
fi
shell: bash
env:
COSIGN_BINARY: cosign-linux-amd64
COSIGN_CHECKSUM_FILE: cosign_checksums.txt
COSIGN_VERSION: ${{ inputs.cosign-version }}
- name: Get image digest
id: digest
run: |
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }} | cut -d'@' -f2)
echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
shell: bash
- name: Sign image with Cosign
if: inputs.readonly != 'true'
env:
COSIGN_EXPERIMENTAL: 1
run: |
Expand Down