feat(verify): Support verification of multiple containers

EyeCantCU · Dec 19, 2023 · b20e854 · b20e854
1 parent 04d7e1a
commit b20e854
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -122,7 +122,7 @@ jobs:
       - name: Verify image
         uses: ./verify
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           pubkey: ./cosign.pub
 
       - name: Echo outputs

diff --git a/verify/action.yml b/verify/action.yml
@@ -5,8 +5,8 @@ inputs:
   cert-identity:
     description: 'The identity certificate'
     required: false
-  container:
-    description: 'Path to target container to verify'
+  containers:
+    description: 'A list of paths to target containers to verify'
     required: true
   pubkey:
     description: 'Public key used by target container'
@@ -26,16 +26,16 @@ runs:
 
     # https://github.com/macbre/push-to-ghcr/issues/12
     - name: Lowercase container path
-      id: container_case
+      id: containers_case
       uses: ASzc/change-string-case-action@v5
       with:
-        string: ${{ inputs.container }}
+        string: ${{ inputs.containers }}
 
     - name: Verify container
       shell: bash
       run:
-        if [[ -z ${{ inputs.container }} ]]; then
-          echo "ERROR: Path to container undefined"
+        if [[ -z ${{ inputs.containers }} ]]; then
+          echo "ERROR: Path to containers undefined"
           exit 1
         fi
         if [[ -z ${{ inputs.verification }} ]]; then
@@ -44,14 +44,14 @@ runs:
         fi
         if [[ ${{ inputs.verification }} == "public-key" ]]; then
           if [[ -n ${{ inputs.pubkey }} ]]; then
-            cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }}
+            cosign verify --key ${{ inputs.pubkey }} env://CONTAINERS[@]
           else
             echo "ERROR: Public key undefined"
             exit 1
           fi
         elif [[ ${{ inputs.verification }} == "certificate" ]]; then
           if [[ -n ${{ inputs.cert-identity }} && -n ${{ inputs.oidc-issuer }} ]]; then
-            cosign verify ${{ inputs.container }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
+            cosign verify env://CONTAINERS[@] --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
           else
             echo "ERROR: Certificate identity or OIDC issuer undefined"
             exit 1
@@ -60,4 +60,5 @@ runs:
           exit 1
         fi
       env:
+        CONTAINERS: ${{ steps.containers_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false