From e89475691651621fdf59cf4ff06e28703ba06dbc Mon Sep 17 00:00:00 2001 From: Stuart Johnson Date: Mon, 5 Feb 2024 21:43:52 +0000 Subject: [PATCH] fix signing --- .github/workflows/docker-publish.yml | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f8be664..1befd5f 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -22,7 +22,7 @@ jobs: strategy: matrix: board: - - milkv-duo + # - milkv-duo # - milkv-duo-lite - milkv-duo256m # - milkv-duo256m-lite @@ -62,19 +62,33 @@ jobs: type=sha - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@v5.0.0 with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - build-args: BOARD=${{ matrix.board }} cache-from: type=gha cache-to: type=gha,mode=max - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} + run: | + TAGS="${{ steps.meta.outputs.tags }}" + DIGEST="${{ steps.build-and-push.outputs.digest }}" + if [[ -n "$DIGEST" ]]; then + # Sign by digest + echo "Signing by digest" + cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@$DIGEST + elif [[ -n "$TAGS" ]]; then + # Sign by tags + echo "Signing by tags" + IFS=',' read -ra TAG_ARRAY <<< "$TAGS" + for tag in "${TAG_ARRAY[@]}"; do + cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$tag + done + else + echo "No tags or digest available for signing" env: - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + COSIGN_EXPERIMENTAL: "true" \ No newline at end of file