Skip to content

Commit

Permalink
Get correct token for cosign
Browse files Browse the repository at this point in the history
  • Loading branch information
cromefire committed Oct 22, 2023
1 parent 11ea8c3 commit bccc501
Showing 1 changed file with 8 additions and 9 deletions.
17 changes: 8 additions & 9 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,6 @@ jobs:
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write

steps:
- name: Checkout repository
Expand Down Expand Up @@ -159,6 +156,12 @@ jobs:
runs-on: ubuntu-latest
needs: [ build ]
if: github.event_name != 'pull_request'
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write

steps:
- name: Download digests
Expand Down Expand Up @@ -215,13 +218,11 @@ jobs:
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
working-directory: /tmp/digests
env:
RAW_TAGS: ${{ join(steps.meta.outputs.tags, ' ') }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
TAGS=""
for RAW_TAG in ${RAW_TAGS}; do
for RAW_TAG in ${{ join(steps.meta.outputs.tags, ' ') }}; do
TAGS="${TAGS}$(printf "${RAW_TAG}@sha256:%s " *)"
done
for TAG in ${TAGS}; do
Expand All @@ -230,9 +231,7 @@ jobs:
done
- name: Inspect image
env:
RAW_TAGS: ${{ join(steps.meta.outputs.tags, ' ') }}
run: |
for RAW_TAG in ${RAW_TAGS}; do
for RAW_TAG in ${{ join(steps.meta.outputs.tags, ' ') }}; do
docker buildx imagetools inspect ${RAW_TAG}
done

0 comments on commit bccc501

Please sign in to comment.