/
action.yml
84 lines (75 loc) · 3.65 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# action.yml
name: install-cosign
description: 'Install Cosign and put it on your path'
branding:
icon: 'package'
color: 'blue'
# This is pinned to the last major release, we have to bump it for each action version.
inputs:
cosign-release:
description: 'Cosign release version to use in the actions.'
required: false
default: 'v1.3.0'
runs:
using: "composite"
steps:
# We verify the version against a SHA **in the published action itself**, not in the GCS bucket.
- run: |
trap "popd" EXIT
mkdir -p $HOME/.cosign
pushd $HOME/.cosign
bootstrap_version='v1.3.0'
expected_bootstrap_version_digest='9604a5eb171748113f92a67495556007dde6f45804f0b38d3e55c3bc7e151774'
curl -L https://storage.googleapis.com/cosign-releases/${bootstrap_version}/cosign-linux-amd64 -o cosign
shaBootstrap=$(sha256sum cosign | cut -d' ' -f1);
if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then exit 1; fi
chmod +x cosign
# If the bootstrap and specified `cosign` releases are the same, we're done.
if [[ ${{ inputs.cosign-release }} == ${bootstrap_version} ]]; then exit 0; fi
semver='^v([0-9]+\.){0,2}(\*|[0-9]+)$'
if [[ ${{ inputs.cosign-release }} =~ $semver ]]; then
echo "INFO: Custom Cosign Version ${{ inputs.cosign-release }}"
else
echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}'"
exit 1
fi
# Download custom cosign
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
else
curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
fi
shaCustom=$(sha256sum cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);
# same hash means it is the same release
if [[ $shaCustom != $shaBootstrap ]];
then
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
# v0.6.0's linux release has a dependency on `libpcsclite1`
set +e
sudo dpkg -s libpcsclite1
if [ $? -eq 0 ]; then
echo "INFO: libpcsclite1 package is already installed"
else
echo "INFO: libpcsclite1 package is not installed, installing it now."
sudo apt-get update -q
sudo apt-get install -yq libpcsclite1
fi
set -e
curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign_linux_amd64_0.6.0_linux_amd64.sig -o cosign-linux-amd64.sig
else
curl -LO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign-linux-amd64.sig
fi
if [[ ${{ inputs.cosign-release }} < 'v0.6.0' ]]; then
RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/.github/workflows/cosign.pub
else
RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub
fi
./cosign verify-blob -key $RELEASE_COSIGN_PUB_KEY -signature cosign-linux-amd64.sig cosign_${{ inputs.cosign-release }}
if [[ $? != 0 ]]; then exit 1; fi
rm cosign
mv cosign_${{ inputs.cosign-release }} cosign
chmod +x cosign
fi
shell: bash
- run: echo "$HOME/.cosign" >> $GITHUB_PATH
shell: bash