mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-09-20 00:06:21 +00:00
ci: use explicit input to choose cosign key for OS image measurements
This commit is contained in:
parent
16d27b5157
commit
49288f5d30
14
.github/workflows/generate-measurements.yml
vendored
14
.github/workflows/generate-measurements.yml
vendored
@ -15,6 +15,11 @@ on:
|
|||||||
description: "Sign and upload the measurements?"
|
description: "Sign and upload the measurements?"
|
||||||
type: boolean
|
type: boolean
|
||||||
required: true
|
required: true
|
||||||
|
isRelease:
|
||||||
|
description: "Is this a release?"
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
required: false
|
||||||
ref:
|
ref:
|
||||||
type: string
|
type: string
|
||||||
description: "Git ref to checkout"
|
description: "Git ref to checkout"
|
||||||
@ -33,6 +38,9 @@ on:
|
|||||||
description: "Sign and upload the measurements?"
|
description: "Sign and upload the measurements?"
|
||||||
type: boolean
|
type: boolean
|
||||||
required: true
|
required: true
|
||||||
|
isRelease:
|
||||||
|
description: "Is this a release?"
|
||||||
|
type: boolean
|
||||||
ref:
|
ref:
|
||||||
type: string
|
type: string
|
||||||
description: "Git ref to checkout"
|
description: "Git ref to checkout"
|
||||||
@ -286,9 +294,9 @@ jobs:
|
|||||||
- name: Sign measurements
|
- name: Sign measurements
|
||||||
shell: bash
|
shell: bash
|
||||||
env:
|
env:
|
||||||
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||||
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||||
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
||||||
run: |
|
run: |
|
||||||
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
||||||
# Enabling experimental mode also publishes signature to Rekor
|
# Enabling experimental mode also publishes signature to Rekor
|
||||||
|
1
.github/workflows/release.yml
vendored
1
.github/workflows/release.yml
vendored
@ -176,6 +176,7 @@ jobs:
|
|||||||
osImage: ${{ inputs.version }}
|
osImage: ${{ inputs.version }}
|
||||||
isDebugImage: false
|
isDebugImage: false
|
||||||
signMeasurements: true
|
signMeasurements: true
|
||||||
|
isRelease: true
|
||||||
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
||||||
|
|
||||||
update-hardcoded-measurements:
|
update-hardcoded-measurements:
|
||||||
|
Loading…
Reference in New Issue
Block a user