use intermediate environment variables to avoid risks of script injec…

…tion (#122) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
sigstore · May 16, 2023 · 46b5db7 · 46b5db7
1 parent 84448ba
commit 46b5db7
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -126,16 +126,21 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
 
+      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
       - name: Sign image with a key
         run: |
           cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
         env:
           TAGS: ${{ steps.docker_meta.outputs.tags }}
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
 
       - name: Sign the images with GitHub OIDC Token
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign {}@${DIGEST}
 ```
 
 ### Optional Inputs