From 2bdc74223bfd9319cc6273d7a2f72ec122aaa444 Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Mon, 18 Dec 2023 19:39:43 -0700 Subject: [PATCH] feat(verify): Support verification of multiple containers at once --- .github/workflows/test-actions.yml | 2 +- verify/action.yml | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml index 1d9f51d..34e23cb 100644 --- a/.github/workflows/test-actions.yml +++ b/.github/workflows/test-actions.yml @@ -122,7 +122,7 @@ jobs: - name: Verify image uses: ./verify with: - container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }} + containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }} pubkey: ./cosign.pub - name: Echo outputs diff --git a/verify/action.yml b/verify/action.yml index 835d79c..988429c 100644 --- a/verify/action.yml +++ b/verify/action.yml @@ -5,8 +5,8 @@ inputs: cert-identity: description: 'The identity certificate' required: false - container: - description: 'Path to target container to verify' + containers: + description: 'Paths to target containers' required: true pubkey: description: 'Public key used by target container' @@ -29,13 +29,14 @@ runs: - name: Verify container shell: bash - run: + run: | if [[ -n ${{ inputs.pubkey }} ]]; then - cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }} + cosign verify --key ${{ inputs.pubkey }} env://CONTAINERS[@] elif [[ -n ${{ inputs.cert-identity }} && -n ${{ inputs.oidc-issuer }} ]]; then - cosign verify ${{ inputs.container }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} + cosign verify env://CONTAINERS[@] --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} else exit 1 fi env: + CONTAINERS: ${{ steps.container_case.outputs.lowercase }} COSIGN_EXPERIMENTAL: false