feat(actions): Support passing multiple containers for verifcation/si…

…gning Requires they use the same keys/certificate
EyeCantCU · Dec 19, 2023 · 5ddf5bf · 5ddf5bf
1 parent 8bffcc8
commit 5ddf5bf
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -114,15 +114,15 @@ jobs:
       - name: Sign image
         uses: ./sign
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           registry-token: ${{ secrets.GITHUB_TOKEN }}
           signing-secret: ${{ secrets.SIGNING_SECRET }}
           tags: ${{ steps.push.outputs.digest }}
 
       - name: Verify image
         uses: ./verify
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           pubkey: ./cosign.pub
 
       - name: Echo outputs

diff --git a/sign/action.yml b/sign/action.yml
@@ -41,8 +41,9 @@ runs:
     - name: Sign container image
       shell: bash
       run: |
-        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.container_case.outputs.lowercase }}@${TAGS}
+        cosign sign -y --key env://COSIGN_PRIVATE_KEY @${CONTAINERS}@${TAGS}
       env:
+        CONTAINERS: ${{ steps.container_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}
diff --git a/verify/action.yml b/verify/action.yml
@@ -31,11 +31,12 @@ runs:
       shell: bash
       run: |
         if [[ -n "${{ inputs.pubkey }}" ]]; then
-          cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }}
+          cosign verify --key ${{ inputs.pubkey }} @${CONTAINERS}
         elif [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
-          cosign verify ${{ steps.container_case.outputs.lowercase }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
+          cosign verify --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} @${CONTAINERS}
         else
           exit 1
         fi
       env:
+        CONTAINERS: ${{ steps.container_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false