From c0e6a7d58b1b65b769c829eb8ab7162a5535d5a8 Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Wed, 3 Jan 2024 14:38:54 -0700 Subject: [PATCH] feat(verify): Add option to fail silently Some projects may want to opt to continue their workflow in spite of failure --- README.md | 2 ++ verify/action.yml | 12 ++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index da06cf9..a8654c5 100644 --- a/README.md +++ b/README.md @@ -71,3 +71,5 @@ jobs: cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main oidc-issuer: https://token.actions.githubusercontent.com ``` + +While not recommended, you may also opt to fail verification silently without disrupting your workflow by setting `fail-silently: 'true'`. diff --git a/verify/action.yml b/verify/action.yml index db34e6d..e20a7ed 100644 --- a/verify/action.yml +++ b/verify/action.yml @@ -8,6 +8,10 @@ inputs: containers: description: 'Names of the target containers to verify' required: true + fail-silently: + description: 'Fail without exiting.' + default: 'false' + required: false pubkey: description: 'Public key used by target container' default: 'https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub' @@ -34,14 +38,18 @@ runs: for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then echo "NOTICE: Verification failed. Please ensure your public key is correct." - exit 1 + if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then + exit 1 + fi fi done elif [[ -n "${{ inputs.pubkey }}" ]]; then for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then echo "NOTICE: Verification failed. Please ensure your public key is correct." - exit 1 + if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then + exit 1 + fi fi done else