Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 00:06:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: use explicit input to choose cosign key for OS image measurements

Browse Source
This commit is contained in:
Malte Poll 2023-01-06 09:39:49 +01:00 committed by Malte Poll
parent 16d27b5157
commit 49288f5d30
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/generate-measurements.yml vendored
View File

@ -15,6 +15,11 @@ on:
description: "Sign and upload the measurements?" description: "Sign and upload the measurements?"
type: boolean type: boolean
required: true required: true
isRelease:
description: "Is this a release?"
type: boolean
default: false
required: false
ref: ref:
type: string type: string
description: "Git ref to checkout" description: "Git ref to checkout"
@ -33,6 +38,9 @@ on:
description: "Sign and upload the measurements?" description: "Sign and upload the measurements?"
type: boolean type: boolean
required: true required: true
isRelease:
description: "Is this a release?"
type: boolean
ref: ref:
type: string type: string
description: "Git ref to checkout" description: "Git ref to checkout"
@ -286,9 +294,9 @@ jobs:
- name: Sign measurements - name: Sign measurements
shell: bash shell: bash
env: env:
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run: | run: |
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor # Enabling experimental mode also publishes signature to Rekor

1
.github/workflows/release.yml vendored
View File

@ -176,6 +176,7 @@ jobs:
osImage: ${{ inputs.version }} osImage: ${{ inputs.version }}
isDebugImage: false isDebugImage: false
signMeasurements: true signMeasurements: true
isRelease: true
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
update-hardcoded-measurements: update-hardcoded-measurements: