attest: force https for rekor client (#610) #28

Summary
Jobs
- release
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/release.yml at 9fc97de

	name: release

	# run only on tags
	on:
	push:
	tags:
	- 'v*'

	jobs:
	release:
	runs-on: ubuntu-latest
	permissions:
	contents: write # needed to write releases
	id-token: write # needed for keyless signing
	packages: write # needed for push images
	attestations: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
	persist-credentials: false

	- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
	with:
	go-version-file: 'go.mod'
	check-latest: true

	- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4

	- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9

	- name: Set env
	run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"

	- name: Login to GitHub Containers
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
	with:
	version: latest
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	KO_DOCKER_REPO: ghcr.io/sigstore/gitsign

	- name: get the digest
	id: digest
	run: \|
	digest=$(crane digest ghcr.io/sigstore/gitsign:${RELEASE_VERSION})
	echo "digest=${digest}" >> "$GITHUB_OUTPUT"

	- name: sign image
	run: \|
	cosign sign "ghcr.io/sigstore/gitsign@${DIGEST_TO_SIGN}"
	env:
	DIGEST_TO_SIGN: ${{ steps.digest.outputs.digest }}
	COSIGN_YES: true

	- name: Generate build provenance attestation
	uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
	with:
	subject-name: ghcr.io/sigstore/gitsign
	subject-digest: ${{ steps.digest.outputs.digest }}
	push-to-registry: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

attest: force https for rekor client (#610) #28

Workflow file

attest: force https for rekor client (#610) #28

Jobs

Run details

Workflow file for this run