Directly reference private key in signing step (#19)

2022-12-25 22:49:23 +00:00
parent d24f751edf
commit c82f8396e3
1 changed files with 14 additions and 2 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,21 +94,33 @@ jobs:
          password: ${{ env.REGISTRY_PASSWORD }}
          extra-args: |
            --disable-content-trust
+
      # Sign container
      - uses: sigstore/cosign-installer@main
+
+      # Only needed when running `cosign sign` using a key
+      - name: Write signing key to disk
+        run: |
+          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
+          # DEBUG: get character count of key
+          wc -c cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Sign container image
        run: |
-          cosign sign ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+          cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
        env:
          TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_PRIVATE_KEY: ${{secrets.SIGNING_SECRET}}
          COSIGN_EXPERIMENTAL: false
+
      - name: Echo outputs
        run: |
          echo "${{ toJSON(steps.push.outputs) }}"