-
Notifications
You must be signed in to change notification settings - Fork 0
40 lines (36 loc) · 1.24 KB
/
sign.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Sign container image
on:
workflow_run:
workflows: ["Build and push images"]
types:
- completed
workflow_dispatch:
push:
jobs:
sign:
name: Create attestation
runs-on: ubuntu-22.04
strategy:
matrix:
version: ['3.2']
permissions:
packages: write
steps:
- name: Login to GHCR
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/[email protected]
- uses: anchore/sbom-action/download-syft@v0
id: syft
- name: Create attestation
run: |
BASE_IMAGE='ghcr.io/alphagov/govuk-ruby-base:${{ matrix.version }}'
BUILDER_IMAGE='ghcr.io/alphagov/govuk-ruby-builder:${{ matrix.version }}'
SYFT='${{steps.syft.outputs.cmd }}'
$SYFT --output spdx-json "${BASE_IMAGE}" > base.spdx.json
$SYFT --output spdx-json "${BUILDER_IMAGE}" > builder.spdx.json
cosign attest --predicate base.spdx.json --key "awskms:///alias/container-signing-key" "${BASE_IMAGE}"
cosign attest --predicate builder.spdx.json --key "awskms:///alias/container-signing-key" "${BUILDER_IMAGE}"