pub/cosign-images
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init
Some checks failed
build, sign and push / build-and-sign (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Vassiliy Yegorov
2026-03-26 18:59:50 +07:00
parent 38ecc2ad24
commit 958710998e
1 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
.gitea/workflows/build-sign-push.yaml Normal file
View File

@@ -0,0 +1,73 @@
# .gitea/workflows/build-sign-push.yaml
name: build, sign and push
on:
push:
branches: [main]
env:
REGISTRY: git.realmanual.ru
IMAGE: git.realmanual.ru/${{ gitea.repository }}
jobs:
build-and-sign:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: checkout
uses: actions/checkout@v4
# --- build ---
- name: set up docker buildx
uses: docker/setup-buildx-action@v3
- name: Read Version
id: version
run: echo "VERSION=$(cat image/VERSION)" >> $GITHUB_OUTPUT
- name: login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ gitea.actor }}
password: ${{ secrets.PUSH_TOKEN }}
- name: build and push
id: build
uses: docker/build-push-action@v5
with:
context: ./image
push: true
# тегируем и по SHA и по latest
tags: |
${{ env.IMAGE }}:${{ gitea.sha }}
${{ env.IMAGE }}:${{ steps.version.outputs.VERSION }}
# digest понадобится для подписи — по тегу подписывать нельзя
outputs: type=image,push=true
# --- sign ---
# cosign надо ставить отдельно — в ubuntu-latest его нет
- name: install cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v3.0.5'
- name: sign image
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# digest в формате sha256:abc123...
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
run: |
cosign sign --yes \
--key env://COSIGN_PRIVATE_KEY \
${{ env.IMAGE }}@${IMAGE_DIGEST}
# --- verify (self-check в CI) ---
- name: verify signature
env:
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
run: |
cosign verify \
--key cosign.pub \
${{ env.IMAGE }}@${IMAGE_DIGEST}