2424 group : " ${{ github.workflow }}-${{ github.sha }}"
2525 cancel-in-progress : false
2626
27+ environment :
28+ name : release
29+ url : ${{ format('{0}/{1}/pkgs/container/{2}', github.server_url, github.repository, 'docker-otel-lgtm') }}
30+
2731 permissions :
2832 artifact-metadata : write
2933 attestations : write
3842 persist-credentials : false
3943
4044 - name : Get Git commit timestamp
45+ id : get-commit-timestamp
4146 shell : bash
42- run : echo "GIT_COMMIT_EPOCH =$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV }"
47+ run : echo "git-commit-epoch =$(git log -1 --pretty=%ct)" >> "${GITHUB_OUTPUT }"
4348
4449 - name : Set up Docker Buildx
4550 uses : docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
6974 id : push
7075 uses : docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
7176 env :
72- SOURCE_DATE_EPOCH : ${{ env.GIT_COMMIT_EPOCH }}
77+ SOURCE_DATE_EPOCH : ${{ steps.get-commit-timestamp.outputs.git-commit-epoch }}
7378 with :
7479 annotations : ${{ steps.meta.outputs.annotations }}
7580 build-args : |
9095 subject-name : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
9196 subject-digest : ${{ steps.push.outputs.digest }}
9297
98+ - name : Verify attestations
99+ if : github.event_name != 'pull_request'
100+ shell : bash
101+ env :
102+ CONTAINER_IMAGE_DIGEST : ${{ format('oci://{0}/{1}@{2}', env.REGISTRY, env.IMAGE_NAME, steps.push.outputs.digest) }}
103+ CONTAINER_IMAGE_LABEL : ${{ format('oci://{0}/{1}:{2}', env.REGISTRY, env.IMAGE_NAME, github.ref_name == github.event.repository.default_branch && github.event.repository.default_branch || 'latest') }}
104+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
105+ run : |
106+ gh attestation verify --repo "${GITHUB_REPOSITORY}" "${CONTAINER_IMAGE_DIGEST}" || exit 1
107+ gh attestation verify --repo "${GITHUB_REPOSITORY}" "${CONTAINER_IMAGE_LABEL}" || exit 1
108+
93109name : Install cosign
94110 if : github.event_name != 'pull_request'
95111 uses : sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
@@ -102,3 +118,15 @@ jobs:
102118 DIGEST : ${{ steps.push.outputs.digest }}
103119 TAGS : ${{ steps.meta.outputs.tags }}
104120 run : echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
121+
122+ - name : Verify container image signatures
123+ if : github.event_name != 'pull_request'
124+ shell : bash
125+ env :
126+ CERTIFICATE_IDENTITY : ${{ format('{0}/{1}', github.server_url, github.workflow_ref) }}
127+ CERTIFICATE_OIDC_ISSUER : " https://token.actions.githubusercontent.com"
128+ CONTAINER_IMAGE_DIGEST : ${{ format('{0}/{1}@{2}', env.REGISTRY, env.IMAGE_NAME, steps.push.outputs.digest) }}
129+ CONTAINER_IMAGE_LABEL : ${{ format('{0}/{1}:{2}', env.REGISTRY, env.IMAGE_NAME, github.ref_name == github.event.repository.default_branch && github.event.repository.default_branch || 'latest') }}
130+ run : |
131+ cosign verify "${CONTAINER_IMAGE_DIGEST}" --certificate-identity "${CERTIFICATE_IDENTITY}" --certificate-oidc-issuer "${CERTIFICATE_OIDC_ISSUER}" || exit 1
132+ cosign verify "${CONTAINER_IMAGE_LABEL}" --certificate-identity "${CERTIFICATE_IDENTITY}" --certificate-oidc-issuer "${CERTIFICATE_OIDC_ISSUER}" || exit 1
0 commit comments