pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-06-14 04:21:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(cosign): explicit GHCR login before sign + verify

Browse Source 
docker/login-action writes ~/.docker/config.json but cosign on self-
hosted runner does not always read it. Add 'cosign login ghcr.io'
before sign (build-image) and verify (deploy-app, deploy-pex) so the
registry blob upload/download authenticates correctly.

The previous run signed via Sigstore (Fulcio cert + Rekor tlog entry
created) but failed at the final 'push signature blob to GHCR' step
with UNAUTHORIZED. Explicit cosign login solves this.
This commit is contained in:
Kurdistan Tech Ministry
2026-05-09 13:41:29 +03:00
parent f7c070e45b
commit 2cbfd21539
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/quality-gate.yml
+4 -1
View File
@@ -159,6 +159,9 @@ jobs:
COSIGN_EXPERIMENTAL: '1' COSIGN_EXPERIMENTAL: '1'
run: | run: |
IMAGE_DIGEST="${{ steps.meta.outputs.image }}@${{ steps.build.outputs.digest }}" IMAGE_DIGEST="${{ steps.meta.outputs.image }}@${{ steps.build.outputs.digest }}"
# cosign needs its own registry auth — docker/login-action only writes
# ~/.docker/config.json which cosign on self-hosted runner can't read
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u "${{ github.actor }}" --password-stdin
echo "Signing $IMAGE_DIGEST" echo "Signing $IMAGE_DIGEST"
cosign sign --yes "$IMAGE_DIGEST" cosign sign --yes "$IMAGE_DIGEST"
echo "✅ Image signed (transparency log: rekor.sigstore.dev)" echo "✅ Image signed (transparency log: rekor.sigstore.dev)"
@@ -328,8 +331,8 @@ jobs:
COSIGN_EXPERIMENTAL: '1' COSIGN_EXPERIMENTAL: '1'
run: | run: |
IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sha.outputs.sha }}" IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sha.outputs.sha }}"
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u "${{ github.actor }}" --password-stdin
echo "Verifying signature for $IMAGE" echo "Verifying signature for $IMAGE"
# Identity = workflow that built this image (build-image job in this repo)
cosign verify "$IMAGE" \ cosign verify "$IMAGE" \
--certificate-identity-regexp "^https://github.com/pezkuwichain/pwap/.github/workflows/quality-gate.yml@" \ --certificate-identity-regexp "^https://github.com/pezkuwichain/pwap/.github/workflows/quality-gate.yml@" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \