Add support for signing with Sigstore

Fixes: redhat-actions#89
travier · Nov 24, 2023 · b529625 · b529625
1 parent c36f454
commit b529625
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -32,6 +32,7 @@ Refer to the [`podman push`](http://docs.podman.io/en/latest/markdown/podman-man
 | password | Password, encrypted password, or access token to use to log in to the registry. Required unless already logged in to the registry. | None
 | tls-verify | Verify TLS certificates when contacting the registry. Set to `false` to skip certificate verification. | `true`
 | digestfile | After copying the image, write the digest of the resulting image to the file. The contents of this file are the digest output. | Auto-generated from image and tag
+| sigstore-private-key | Sigstore private key to use to sign container images | None
 | extra-args | Extra args to be passed to podman push. Separate arguments by newline. Do not use quotes. | None
 
 <a id="image-tag-inputs"></a>

diff --git a/action.yml b/action.yml
@@ -33,6 +33,9 @@ inputs:
       By default, the filename will be determined from the image and tag.
       The contents of this file are the digest output.
     required: false
+  sigstore-private-key:
+    description: 'Sigstore private key to use to sign container images'
+    required: false
   extra-args:
     description: |
       Extra args to be passed to podman push.

diff --git a/src/generated/inputs-outputs.ts b/src/generated/inputs-outputs.ts
@@ -52,6 +52,12 @@ export enum Inputs {
      * Default: None.
      */
     USERNAME = "username",
+    /**
+     * Sigstore private key to use to sign container images
+     * Required: false
+     * Default: None.
+     */
+    SIGSTORE_PRIVATE_KEY = "sigstore-private-key",
 }
 
 export enum Outputs {

diff --git a/src/index.ts b/src/index.ts
@@ -209,6 +209,20 @@ async function run(): Promise<void> {
         }
     }
 
+    const sigstorePrivateKey = core.getInput(Inputs.SIGSTORE_PRIVATE_KEY);
+    const sigstorePrivateKeyFile = path.join(process.env.RUNNER_TEMP || "", "sigstore_private_key");
+    if (sigstorePrivateKey) {
+        // Write sigstore private key to a temporary file in $RUNNER_TEMP that
+        // will be removed after the image is pushed.
+        try {
+            await fs.promises.writeFile(sigstorePrivateKeyFile, sigstorePrivateKey);
+        }
+        catch (err) {
+            throw new Error(`Could not write sigstore private key to temporary file `
+                + `"${sigstorePrivateKeyFile}": ${err}`);
+        }
+    }
+
     let pushMsg = `⏳ Pushing "${sourceImages.join(", ")}" to "${destinationImages.join(", ")}" respectively`;
     if (username) {
         pushMsg += ` as "${username}"`;
@@ -269,11 +283,24 @@ async function run(): Promise<void> {
             args.push(`--creds=${creds}`);
         }
 
+        if (sigstorePrivateKey) {
+            args.push("--sign-by-sigstore-private-key");
+            args.push(sigstorePrivateKeyFile);
+        }
+
         await execute(await getPodmanPath(), args);
         core.info(`✅ Successfully pushed "${sourceImages[i]}" to "${destinationImages[i]}"`);
 
         registryPathList.push(destinationImages[i]);
 
+        try {
+            await fs.promises.unlink(sigstorePrivateKeyFile);
+        }
+        catch (err) {
+            core.warning(`Failed to remove temporary file used to store sigstore private key `
+                + `"${sigstorePrivateKeyFile}": ${err}`);
+        }
+
         try {
             const digest = (await fs.promises.readFile(digestFile)).toString();
             core.info(digest);