go/sliding-sync
go/sliding-sync
1
0
Fork 0
mirror of https://github.com/matrix-org/sliding-sync.git synced 2025-03-10 13:37:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #433 from matrix-org/kegan/sign

Browse Source 
Sign releases
This commit is contained in:
Kegan Dougal 2024-05-09 16:37:07 +01:00 committed by GitHub
commit 150d9d6371
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/docker.yml vendored
View File

@ -21,7 +21,10 @@ jobs:
contents: read contents: read
packages: write packages: write
security-events: write # To upload Trivy sarif files security-events: write # To upload Trivy sarif files
id-token: write # needed for signing the images with GitHub OIDC Token
steps: steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.3.0
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Set up QEMU - name: Set up QEMU
@ -62,6 +65,18 @@ jobs:
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }} ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
- name: Sign the images with GitHub OIDC Token
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
env:
DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with: