These actions exist to further automate the usage of sigstore's 'cosign'.
The 'sign' action signs the target container(s) using a private key stored as a repository secret. It is the private key generated by 'cosign' when creating a key pair.
Example implementation for GHCR:
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Sign container with Cosign
steps:
- name: Sign container
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: silverblue-main, kinoite-main
registry: ghcr.io/ublue-os
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: latest
The 'verify' action validates the target containers' signature via the public key. For example, for Universal Blue, this is the cosign.pub
file stored in the root of all image repositories.
Example implementation for verifying against a public key:
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Verify container with Cosign
steps:
- name: Verify container
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: silverblue-main:latest, kinoite-main:latest
registry: ghcr.io/ublue-os
pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub
Example implementation for verifying against a certificate:
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Verify container with Cosign
steps:
- name: Verify container
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: bash, busybox, caddy
registry: cgr.dev/chainguard
cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
oidc-issuer: https://token.actions.githubusercontent.com
While not recommended, you may also opt to fail verification silently without disrupting your workflow by setting fail-silently: 'true'
.