use release cosign key only when releasing (#331)

Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2024-09-20 00:06:21 +00:00 · 2022-10-20 15:59:17 +02:00 · 2022-10-20 15:59:17 +02:00 · 21436e6592
commit 21436e6592
parent 085f7b1a2a
2 changed files with 15 additions and 15 deletions
--- a/.github/workflows/generate-measurements.yml
+++ b/.github/workflows/generate-measurements.yml
@ -58,9 +58,9 @@ jobs:
          azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
          coreosImage: ${{ github.event.inputs.coreosImage }}
          isDebugImage: ${{ github.event.inputs.isDebugImage }}
-          cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
          awsAccessKeyID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          awsSecretAccessKey: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          awsDefaultRegion: ${{ secrets.AWS_DEFAULT_REGION }}
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@ -22,9 +22,9 @@ jobs:
          targetOS: linux
          targetArch: amd64
          enterpriseCLI: true
-          cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Build cli-linux-arm64
        uses: ./.github/actions/build_cli
@ -32,9 +32,9 @@ jobs:
          targetOS: linux
          targetArch: arm64
          enterpriseCLI: true
-          cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Build cli-darwin-amd64
        uses: ./.github/actions/build_cli
@ -42,9 +42,9 @@ jobs:
          targetOS: darwin
          targetArch: amd64
          enterpriseCLI: true
-          cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Build cli-darwin-arm64
        uses: ./.github/actions/build_cli
@ -52,9 +52,9 @@ jobs:
          targetOS: darwin
          targetArch: arm64
          enterpriseCLI: true
-          cosignPublicKey: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Login to Azure
        uses: ./.github/actions/azure_login