Skip to content
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

Commit c727372

Browse files
committed
fix(ci): setup cosign correctly and sign images using github oidc token
1 parent 02ecf09 commit c727372

2 files changed

Lines changed: 27 additions & 30 deletions

File tree

.github/workflows/release.yaml

Lines changed: 26 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,19 @@ on:
1212

1313
jobs:
1414
semrel:
15+
permissions:
16+
actions: none
17+
checks: none
18+
contents: none
19+
deployments: none
20+
issues: none
21+
packages: write
22+
pull-requests: none
23+
repository-projects: none
24+
security-events: none
25+
statuses: none
26+
id-token: write # needed for signing the images with GitHub OIDC using cosign
27+
1528
name: Semantic Release
1629
runs-on: ubuntu-latest
1730
steps:
@@ -71,45 +84,28 @@ jobs:
7184
uses: aquasecurity/trivy-action@0.18.0
7285
with:
7386
image-ref: ghcr.io/${{ github.repository }}/api
74-
format: "json"
75-
output: "api.json"
76-
77-
- name: Run Trivy vulnerability scanner on ember
78-
uses: aquasecurity/trivy-action@0.18.0
79-
with:
80-
image-ref: ghcr.io/${{ github.repository }}/ember
81-
format: "json"
82-
output: "ember.json"
83-
84-
- name: Sign the image with GitHub OIDC Token using cosign
85-
run: cosign sign --yes ${{ github.repository }}/${{ inputs.image-ref }}@latest
86-
if: ${{ inputs.sign }}
87-
88-
- name: Convert api trivy results to CycloneDX
89-
uses: aquasecurity/trivy-action@0.18.0
90-
with:
91-
image-ref: api.json
92-
scan-type: "convert"
9387
format: "cyclonedx"
94-
# skip --vuln-type arg
95-
vuln-type: ""
9688
output: "api.cdx"
9789

98-
- name: Convert ember trivy results to CycloneDX
90+
- name: Run Trivy vulnerability scanner on ember
9991
uses: aquasecurity/trivy-action@0.18.0
10092
with:
101-
image-ref: ember.json
102-
scan-type: "convert"
93+
image-ref: ghcr.io/${{ github.repository }}/ember
10394
format: "cyclonedx"
104-
# skip --vuln-type arg
105-
vuln-type: ""
10695
output: "ember.cdx"
10796

108-
- name: Attach an SBOM attestation to the signed api image
109-
run: cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
97+
- name: Install Cosign
98+
uses: sigstore/cosign-installer@v3.4.0
11099

111-
- name: Attach an SBOM attestation to the signed ember image
112-
run: cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
100+
- name: Sign the images with GitHub OIDC Token using cosign
101+
run: |
102+
cosign sign --yes ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
103+
cosign sign --yes ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
104+
105+
- name: Attach an SBOM attestation to the signed images
106+
run: |
107+
cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
108+
cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
113109
114110
- name: Set up Helm
115111
if: steps.semrel.outputs.version != ''

.github/workflows/trivy-scan.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ jobs:
1818
name: Scan ${{ inputs.image-ref }}
1919
steps:
2020
- name: Install Cosign
21+
if: ${{ inputs.attest }}
2122
uses: sigstore/cosign-installer@v3.4.0
2223

2324
- name: Login to GitHub Container Registry

0 commit comments

Comments
 (0)