notation action v1.2.1 #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # workflow using OIDC and federated credentials | |
| name: test-notation-action-with-oidc | |
| on: | |
| push: | |
| branches: | |
| - main | |
| env: | |
| ACR_TO_RELEASE: testnotation.azurecr.io | |
| ACR_REPO1_TO_RELEASE: gha1 | |
| ACR_REPO2_TO_RELEASE: gha2 | |
| KEY_ID: https://testnotationakv.vault.azure.net/keys/notation/570eae8ed8b44f1b8d6f187923b68a76 | |
| jobs: | |
| # build and push the release, setup notation, sign the artifact, and | |
| # verify the signature | |
| notation-setup-sign-verify: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: prepare | |
| id: prepare | |
| run: | | |
| TAG=oidc | |
| echo "target_artifact_reference1=${{ env.ACR_TO_RELEASE }}/${{ env.ACR_REPO1_TO_RELEASE }}:${TAG}" >> "$GITHUB_ENV" | |
| echo "target_artifact_reference2=${{ env.ACR_TO_RELEASE }}/${{ env.ACR_REPO2_TO_RELEASE }}:${TAG}" >> "$GITHUB_ENV" | |
| - name: Azure login | |
| uses: Azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: ACR login | |
| run: | | |
| az acr login --name ${{ env.ACR_TO_RELEASE }} | |
| - name: Build and push | |
| id: push | |
| uses: docker/build-push-action@v4 | |
| with: | |
| push: true | |
| tags: | | |
| ${{ env.target_artifact_reference1 }} | |
| ${{ env.target_artifact_reference2 }} | |
| - name: Retrieve digest | |
| run: | | |
| echo "target_artifact_reference1=${{ env.ACR_TO_RELEASE }}/${{ env.ACR_REPO1_TO_RELEASE }}@${{ steps.push.outputs.digest }}" >> "$GITHUB_ENV" | |
| echo "target_artifact_reference2=${{ env.ACR_TO_RELEASE }}/${{ env.ACR_REPO2_TO_RELEASE }}@${{ steps.push.outputs.digest }}" >> "$GITHUB_ENV" | |
| - name: setup notation | |
| # this is equivalent to `uses: notaryproject/notation-action/setup@v1` | |
| uses: notaryproject/notation-action@v1 | |
| - name: sign released artifacts using key pair from AKV | |
| uses: notaryproject/notation-action/sign@v1 | |
| with: | |
| plugin_name: azure-kv | |
| plugin_url: https://github.com/Azure/notation-azure-kv/releases/download/v1.2.0/notation-azure-kv_1.2.0_linux_amd64.tar.gz | |
| plugin_checksum: 06bb5198af31ce11b08c4557ae4c2cbfb09878dfa6b637b7407ebc2d57b87b34 | |
| key_id: ${{ env.KEY_ID }} | |
| target_artifact_reference: |- | |
| ${{ env.target_artifact_reference1 }} | |
| ${{ env.target_artifact_reference2 }} | |
| signature_format: cose | |
| plugin_config: |- | |
| ca_certs=.github/sign/cert-bundle/cert-bundle.pem | |
| self_signed=false | |
| timestamp_url: http://rfc3161timestamp.globalsign.com/advanced | |
| timestamp_root_cert: .github/sign/tsaRootCerts/globalsignRoot.cer | |
| force_referrers_tag: 'false' | |
| - name: verify released artifacts | |
| uses: notaryproject/notation-action/verify@v1 | |
| with: | |
| target_artifact_reference: |- | |
| ${{ env.target_artifact_reference1 }} | |
| ${{ env.target_artifact_reference2 }} | |
| trust_policy: .github/verify/trustpolicy/trustpolicy.json | |
| trust_store: .github/verify/truststore | |