Skip to content

Commit 2323498

Browse files
authored
Merge pull request #82 from crazy-max/verify-deps
check dependencies signatures
2 parents 459aa57 + 13cc1f7 commit 2323498

File tree

2 files changed

+102
-0
lines changed

2 files changed

+102
-0
lines changed

.github/workflows/bake.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,57 @@ jobs:
171171
with:
172172
script: |
173173
await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
174+
-
175+
name: Install Cosign
176+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
177+
env:
178+
INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
179+
with:
180+
script: |
181+
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
182+
const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
183+
184+
const inpCosignVersion = core.getInput('cosign-version');
185+
186+
const cosignInstall = new Install();
187+
const cosignBinPath = await cosignInstall.download({
188+
version: core.getInput('cosign-version'),
189+
ghaNoCache: true,
190+
skipState: true,
191+
verifySignature: true
192+
});
193+
const cosignPath = await cosignInstall.install(cosignBinPath);
194+
195+
const cosign = new Cosign();
196+
await cosign.printVersion();
197+
-
198+
name: Check dependencies signatures
199+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
200+
env:
201+
INPUT_IMAGES: |
202+
${{ env.BUILDKIT_IMAGE }}
203+
${{ env.SBOM_IMAGE }}
204+
${{ env.BINFMT_IMAGE }}
205+
with:
206+
script: |
207+
const { OCI } = require('@docker/actions-toolkit/lib/oci/oci');
208+
const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
209+
210+
const sigstore = new Sigstore();
211+
212+
for (const image of core.getMultilineInput('images')) {
213+
await core.group(`Verifying ${image}`, async () => {
214+
try {
215+
await sigstore.verifyImageAttestations(image, {
216+
certificateIdentityRegexp: `^https://github.com/docker/github-builder(-experimental)?/.github/workflows/bake.yml.*$`,
217+
platform: OCI.defaultPlatform()
218+
});
219+
} catch (error) {
220+
core.setFailed(error);
221+
return;
222+
}
223+
});
224+
}
174225
-
175226
name: Expose GitHub Runtime
176227
uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0

.github/workflows/build.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,57 @@ jobs:
175175
with:
176176
script: |
177177
await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
178+
-
179+
name: Install Cosign
180+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
181+
env:
182+
INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
183+
with:
184+
script: |
185+
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
186+
const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
187+
188+
const inpCosignVersion = core.getInput('cosign-version');
189+
190+
const cosignInstall = new Install();
191+
const cosignBinPath = await cosignInstall.download({
192+
version: core.getInput('cosign-version'),
193+
ghaNoCache: true,
194+
skipState: true,
195+
verifySignature: true
196+
});
197+
const cosignPath = await cosignInstall.install(cosignBinPath);
198+
199+
const cosign = new Cosign();
200+
await cosign.printVersion();
201+
-
202+
name: Check dependencies signatures
203+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
204+
env:
205+
INPUT_IMAGES: |
206+
${{ env.BUILDKIT_IMAGE }}
207+
${{ env.SBOM_IMAGE }}
208+
${{ env.BINFMT_IMAGE }}
209+
with:
210+
script: |
211+
const { OCI } = require('@docker/actions-toolkit/lib/oci/oci');
212+
const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
213+
214+
const sigstore = new Sigstore();
215+
216+
for (const image of core.getMultilineInput('images')) {
217+
await core.group(`Verifying ${image}`, async () => {
218+
try {
219+
await sigstore.verifyImageAttestations(image, {
220+
certificateIdentityRegexp: `^https://github.com/docker/github-builder(-experimental)?/.github/workflows/bake.yml.*$`,
221+
platform: OCI.defaultPlatform()
222+
});
223+
} catch (error) {
224+
core.setFailed(error);
225+
return;
226+
}
227+
});
228+
}
178229
-
179230
name: Expose GitHub Runtime
180231
uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0

0 commit comments

Comments
 (0)