mirror of
https://github.com/redhat-actions/push-to-registry.git
synced 2025-05-09 05:49:53 +02:00
Add support for signing with Sigstore
Fixes: https://github.com/redhat-actions/push-to-registry/issues/89
This commit is contained in:
Timothée Ravier
parent
1d13b5ac9b
commit
23b2687cd6
4 changed files with 72 additions and 0 deletions
|
|
@ -52,6 +52,18 @@ export enum Inputs {
|
|||
* Default: None.
|
||||
*/
|
||||
USERNAME = "username",
|
||||
/**
|
||||
* Sigstore private key to use to sign container images
|
||||
* Required: false
|
||||
* Default: None.
|
||||
*/
|
||||
SIGSTORE_PRIVATE_KEY = "sigstore-private-key",
|
||||
/**
|
||||
* Passphrase to unlock the Sigstore private key
|
||||
* Required: false
|
||||
* Default: None.
|
||||
*/
|
||||
SIGN_PASSPHRASE = "sign-passphrase",
|
||||
}
|
||||
|
||||
export enum Outputs {
|
||||
|
|
|
|||
52
src/index.ts
52
src/index.ts
|
|
@ -209,6 +209,33 @@ async function run(): Promise<void> {
|
|||
}
|
||||
}
|
||||
|
||||
const sigstorePrivateKey = core.getInput(Inputs.SIGSTORE_PRIVATE_KEY);
|
||||
const sigstorePrivateKeyFile = path.join(process.env.RUNNER_TEMP || "", "sigstore_private_key");
|
||||
if (sigstorePrivateKey) {
|
||||
// Write sigstore private key to a temporary file in $RUNNER_TEMP that
|
||||
// will be removed after the image is pushed.
|
||||
try {
|
||||
await fs.promises.writeFile(sigstorePrivateKeyFile, sigstorePrivateKey);
|
||||
}
|
||||
catch (err) {
|
||||
throw new Error(`Could not write sigstore private key to temporary file `
|
||||
+ `"${sigstorePrivateKeyFile}": ${err}`);
|
||||
}
|
||||
}
|
||||
const signPassphrase = core.getInput(Inputs.SIGN_PASSPHRASE);
|
||||
const signPassphraseFile = path.join(process.env.RUNNER_TEMP || "", "sign_passphrase");
|
||||
if (signPassphrase || sigstorePrivateKey) {
|
||||
// Write passphrase (empty string if not provided) to a temporary file
|
||||
// in $RUNNER_TEMP that will be removed after the image is pushed.
|
||||
try {
|
||||
await fs.promises.writeFile(signPassphraseFile, signPassphrase || "");
|
||||
}
|
||||
catch (err) {
|
||||
throw new Error(`Could not write sign passphrase to temporary file `
|
||||
+ `"${signPassphraseFile}": ${err}`);
|
||||
}
|
||||
}
|
||||
|
||||
let pushMsg = `⏳ Pushing "${sourceImages.join(", ")}" to "${destinationImages.join(", ")}" respectively`;
|
||||
if (username) {
|
||||
pushMsg += ` as "${username}"`;
|
||||
|
|
@ -269,11 +296,36 @@ async function run(): Promise<void> {
|
|||
args.push(`--creds=${creds}`);
|
||||
}
|
||||
|
||||
if (sigstorePrivateKey) {
|
||||
args.push("--sign-by-sigstore-private-key");
|
||||
args.push(sigstorePrivateKeyFile);
|
||||
}
|
||||
|
||||
if (signPassphrase || sigstorePrivateKey) {
|
||||
args.push("--sign-passphrase-file");
|
||||
args.push(signPassphraseFile);
|
||||
}
|
||||
|
||||
await execute(await getPodmanPath(), args);
|
||||
core.info(`✅ Successfully pushed "${sourceImages[i]}" to "${destinationImages[i]}"`);
|
||||
|
||||
registryPathList.push(destinationImages[i]);
|
||||
|
||||
try {
|
||||
await fs.promises.unlink(sigstorePrivateKeyFile);
|
||||
}
|
||||
catch (err) {
|
||||
core.warning(`Failed to remove temporary file used to store sigstore private key `
|
||||
+ `"${sigstorePrivateKeyFile}": ${err}`);
|
||||
}
|
||||
try {
|
||||
await fs.promises.unlink(signPassphraseFile);
|
||||
}
|
||||
catch (err) {
|
||||
core.warning(`Failed to remove temporary file used to store sign passphrase `
|
||||
+ `"${signPassphraseFile}": ${err}`);
|
||||
}
|
||||
|
||||
try {
|
||||
const digest = (await fs.promises.readFile(digestFile)).toString();
|
||||
core.info(digest);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue