From b54241071aa42253f58aefd5d960e98471d97f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Mon, 15 May 2023 21:44:39 +0300 Subject: [PATCH 1/2] use intermediate environment variables to avoid risks of script injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index d57b2f1..4aaca04 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,10 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 with: - cosign-release: 'v1.13.1' - + cosign-release: 'v2.0.2' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -90,7 +89,9 @@ jobs: - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From a07603e5efb78778ca8291d20a54900f0024e0b8 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:51:15 -0500 Subject: [PATCH 2/2] Update to latest cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 4aaca04..31da0e3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 with: - cosign-release: 'v2.0.2' + cosign-release: 'v2.1.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx