diff --git a/.github/workflows/build-unified.yml b/.github/workflows/build-unified.yml index 9e2b3f3..8a3764a 100644 --- a/.github/workflows/build-unified.yml +++ b/.github/workflows/build-unified.yml @@ -203,11 +203,10 @@ jobs: - name: Install Cosign if: env.is_publish_branch == 'true' - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Sign image with Cosign if: env.is_publish_branch == 'true' - id: sign env: DIGEST: ${{ steps.build-docker.outputs.digest }} TAGS: ${{ steps.tag-list.outputs.tags }} @@ -217,19 +216,7 @@ jobs: for tag in "${tags_array[@]}"; do images+=("${tag}@${DIGEST}") done - cosign sign --yes "${images[@]}" - echo "images=${images[*]}" >> "$GITHUB_OUTPUT" - - - name: Verify the signed image(s) with Cosign - if: env.is_publish_branch == 'true' - env: - IMAGES: ${{ steps.sign.outputs.images }} - run: | - read -r -a images_array <<< "${COSIGN_IMAGES}" - cosign verify \ - --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - "${images_array[@]}" + cosign sign --yes ${images[@]} - name: Scan Docker image id: container-scan diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b246de0..5595571 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -252,7 +252,7 @@ jobs: persist-credentials: false - name: Install Cosign - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main @@ -299,18 +299,6 @@ jobs: cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG" cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:latest" - - name: Verify the signed image with Cosign - run: | - cosign verify \ - --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG" - - cosign verify \ - --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - "ghcr.io/bitwarden/$_PROJECT_NAME:latest" - - name: Log out of Docker run: | docker logout ghcr.io @@ -347,7 +335,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Push version and latest image if: ${{ inputs.release_type != 'Dry Run' }} @@ -363,18 +351,6 @@ jobs: cosign sign --yes "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION" cosign sign --yes "ghcr.io/bitwarden/self-host:latest" - - name: Verify the signed image with Cosign - run: | - cosign verify \ - --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION" - - cosign verify \ - --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - "ghcr.io/bitwarden/self-host:latest" - - name: Log out of skopeo and ghcr.io run: | skopeo logout --all