diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index f61244f..1d849d2 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -79,24 +79,30 @@ jobs: cosign sign \ --yes \ --output-certificate crt.pem \ - --output-signature kwasm-image.sig \ - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + --output-signature kwasm.sig \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }} - name: prepare assets for upload if: runner.os != 'Windows' shell: bash run: | - echo "+++ debug +++" - cat crt.pem - cat kwasm-image.sig mkdir _dist - cp crt.pem kwasm-image.sig _dist/ + cat < verify.txt + cosign verify \ + --signature kwasm.sig --certificate crt.pem \ + --certificate-identity https://github.com/${{ github.workflow_ref }} \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-sha ${{ github.workflow_sha }} \ + --certificate-github-workflow-repository voigt/kwasm-operator \ + ghcr.io/voigt/kwasm-operator:${{ github.workflow_sha }} + EOF + cp crt.pem kwasm.sig verify.txt _dist/ - name: upload binary as GitHub artifact if: runner.os != 'Windows' uses: actions/upload-artifact@v3 with: - name: kwasm-certs + name: kwasm path: _dist/ - name: Configure Git