wunker-bunker/wunker-os
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Setup sigstore id token

Browse Source
This commit is contained in:
Gerald Pinder
2023-07-23 21:16:41 -04:00
parent 65b3959065
commit 693fa5901c
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.gitlab-ci.yml
View File

@@ -3,6 +3,7 @@ stages:
variables: variables:
COSIGN_PASSWORD: "" COSIGN_PASSWORD: ""
COSIGN_YES: "true"
default: default:
image: registry.gitlab.com/wunker-bunker/ci-builder image: registry.gitlab.com/wunker-bunker/ci-builder
@@ -45,11 +46,14 @@ default:
build: build:
stage: build stage: build
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
parallel: parallel:
matrix: matrix:
- RECIPE: - RECIPE:
- recipe-desktop.yml - recipe-desktop.yml
- recipe-framework-13.yml - recipe-framework-13.yml
script: script:
- buildah build --build-arg=RECIPE=$RECIPE --build-arg=FEDORA_MAJOR_VERSION=$FEDORA_MAJOR_VERSION --build-arg BASE_IMAGE_URL=$BASE_IMAGE_URL -t $FULL_IMAGE_NAME:${TAGS} . - buildah build --build-arg=RECIPE=$RECIPE --build-arg=FEDORA_MAJOR_VERSION=$FEDORA_MAJOR_VERSION --build-arg BASE_IMAGE_URL=$BASE_IMAGE_URL -t $FULL_IMAGE_NAME:${TAGS} .
- | - |
@@ -58,4 +62,5 @@ build:
buildah push $FULL_IMAGE_NAME:$TAG buildah push $FULL_IMAGE_NAME:$TAG
done done
- DIGEST=($(buildah images --format '{{.Digest}}' $FULL_IMAGE_NAME:$TAGS)) - DIGEST=($(buildah images --format '{{.Digest}}' $FULL_IMAGE_NAME:$TAGS))
- cosign sign -y --key $SIGNING_SECRET $FULL_IMAGE_NAME@$DIGEST - IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $FULL_IMAGE_NAME:$TAGS)
- cosign sign $IMAGE_DIGEST