diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index 7aab09bfe..f09b00020 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -15,6 +15,11 @@ on: description: "Sign and upload the measurements?" type: boolean required: true + isRelease: + description: "Is this a release?" + type: boolean + default: false + required: false ref: type: string description: "Git ref to checkout" @@ -33,6 +38,9 @@ on: description: "Sign and upload the measurements?" type: boolean required: true + isRelease: + description: "Is this a release?" + type: boolean ref: type: string description: "Git ref to checkout" @@ -286,9 +294,9 @@ jobs: - name: Sign measurements shell: bash env: - COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} + COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} + COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} run: | echo "${COSIGN_PUBLIC_KEY}" > cosign.pub # Enabling experimental mode also publishes signature to Rekor diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c978cdef9..102896309 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -176,6 +176,7 @@ jobs: osImage: ${{ inputs.version }} isDebugImage: false signMeasurements: true + isRelease: true ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} update-hardcoded-measurements: