* Update the cosign-install action and default version from 1.4.0 to 1.5.1.
Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
* Update to 1.7.1 and the latest cosign-installer action.
Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
Co-authored-by: Bishal Prasad <bishal-pdmsft@github.com>
My previous PR didn't properly handle uppercase usernames (or repository names) when signing container images with `cosign`.
It seems that the `docker buildx --push` doesn't like this either, but it's passed the output of the `docker/metadata-action` which seems to lowercase things.
Fixes: https://github.com/actions/starter-workflows/issues/1293
Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor).
Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
* Have the starter `docker-publish` action sign digests.
This change installs `sigstore/cosign` using the `cosign-installer` action,
and uses sigstore's "keyless" signing process to sign the resulting image
digest using the action's identity token (see: `id-token: write`).
Signed-off-by: Matt Moore <mattomata@gmail.com>
* Fully qualify the digest, add setup-buildx-action as workaround
* Drop --force, add public repo check
* Use built-in 'private' bit
https://github.com/Licsber/opencv-docker/runs/514244582?check_suite_focus=true
Push image:
Error parsing reference: "docker.pkg.github.com/Licsber/opencv-docker/opencv:latest" is not a valid repository/tag: invalid reference format: repository name must be lowercase
My username contains uppercase characters, this make push failed.
So fix the bug by change all uppercase in IMAGE_ID to lowercase.