diff --git a/.github/workflows/release-container.yaml b/.github/workflows/release-container.yaml index 20c7bfe..c0d75d6 100644 --- a/.github/workflows/release-container.yaml +++ b/.github/workflows/release-container.yaml @@ -34,6 +34,11 @@ on: required: false default: 'https://github.com/radiorabe/.*' type: string + cosign-base-image-only: + description: 'pass --base-image-only arg to cosign dockerfile verify' + required: false + default: false + type: boolean jobs: docker: @@ -97,7 +102,7 @@ jobs: uses: docker/setup-buildx-action@v2 - name: Verify Dockerfile using cosign - run: cosign dockerfile verify --certificate-oidc-issuer ${{ inputs.cosign-certificate-oidc-issuer }} --certificate-identity-regexp ${{ inputs.cosign-certificate-identity-regexp }} Dockerfile > /dev/null + run: cosign dockerfile verify --certificate-oidc-issuer ${{ inputs.cosign-certificate-oidc-issuer }} --certificate-identity-regexp ${{ inputs.cosign-certificate-identity-regexp }} ${{ inputs.cosign-base-image-only && '--base-image-only' }} Dockerfile > /dev/null if: inputs.cosign-verify - name: Build Container Image diff --git a/README.md b/README.md index c74f5b2..b015684 100644 --- a/README.md +++ b/README.md @@ -95,8 +95,9 @@ jobs: display-name: # (3) tags: # (4) cosign-verify: true # (5) - cosign-certificate-oidc-issuer: # (6) - cosign-certificate-identity-regexp: # (7) + cosign-certificate-oidc-issuer: [issues] # (6) + cosign-certificate-identity-regexp: [regexp] # (7) + cosign-base-image-only: [true] # (8) ``` 1. Replace this with the actual name of the image, usually something like the @@ -110,6 +111,8 @@ jobs: 6. Defaults to GitHub as an issuer and only needs tuning in special cases. 7. The default `https://github.com/radiorabe/.*` allows signatures from all of our orga, add a more specific regexp if you feel the need. +8. Pass `--base-image-only` to cosign if you are copying binaries from a + source image that isn't signed with cosign. #### Container Images: Schedule