Sign ghcr/prod images using digest and not tag

Signed-off-by: Furkat Gofurov <furkat.gofurov@suse.com>
rancher · Oct 20, 2023 · 7eddb00 · 7eddb00
1 parent 702d1b7
commit 7eddb00
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -94,12 +94,18 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes ${{ matrix.images.image }}
+          # Loop through the ghcr images and sign them by digest
+          for image in "${{ matrix.images.digest }}"; do
+            cosign sign --yes $image
+          done
       - name: Verify pushed ghcr images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          # Loop through the ghcr images and verify them by digest
+          for image in "${{ matrix.images.digest }}"; do
+            cosign verify $image --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          done
 
   ghcr-provenance:
     needs: [build-ghcr, ghcr-sign]
@@ -216,12 +222,18 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes ${{ matrix.images.image }}
+          # Loop through the prod images and sign them by digest
+          for image in "${{ matrix.images.digest }}"; do
+            cosign sign --yes $image
+          done
       - name: Verify pushed ghcr images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          # Loop through the prod images and verify them by digest
+          for image in "${{ matrix.images.digest }}"; do
+            cosign verify $image --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          done
 
   prod-provenance:
     needs: [build-prod, prod-sign]