feat(actions): Support passing multiple containers for verifcation/si…

…gning Requires they use the same keys/certificate
EyeCantCU · Dec 19, 2023 · fabb798 · fabb798
1 parent 8bffcc8
commit fabb798
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -114,15 +114,15 @@ jobs:
       - name: Sign image
         uses: ./sign
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           registry-token: ${{ secrets.GITHUB_TOKEN }}
           signing-secret: ${{ secrets.SIGNING_SECRET }}
           tags: ${{ steps.push.outputs.digest }}
 
       - name: Verify image
         uses: ./verify
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           pubkey: ./cosign.pub
 
       - name: Echo outputs

diff --git a/sign/action.yml b/sign/action.yml
@@ -2,8 +2,8 @@ name: 'Cosign Action - Sign'
 author: 'EyeCantCU'
 description: 'Signs target container'
 inputs:
-  container:
-    description: 'Path to target container to sign'
+  containers:
+    description: 'Paths to target containers'
     required: true
   registry-token:
     description: 'Password for container registry'
@@ -41,8 +41,9 @@ runs:
     - name: Sign container image
       shell: bash
       run: |
-        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.container_case.outputs.lowercase }}@${TAGS}
+        cosign sign -y --key env://COSIGN_PRIVATE_KEY @${CONTAINERS}@${TAGS}
       env:
+        CONTAINERS: ${{ steps.container_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}
diff --git a/verify/action.yml b/verify/action.yml
@@ -5,8 +5,8 @@ inputs:
   cert-identity:
     description: 'The identity certificate'
     required: false
-  container:
-    description: 'Path to target container to verify'
+  containers:
+    description: 'Paths to target containers'
     required: true
   pubkey:
     description: 'Public key used by target container'
@@ -31,11 +31,12 @@ runs:
       shell: bash
       run: |
         if [[ -n "${{ inputs.pubkey }}" ]]; then
-          cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }}
+          cosign verify --key ${{ inputs.pubkey }} @${CONTAINERS}
         elif [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
-          cosign verify ${{ steps.container_case.outputs.lowercase }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
+          cosign verify --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} @${CONTAINERS}
         else
           exit 1
         fi
       env:
+        CONTAINERS: ${{ steps.container_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false