1717 username : ${{ secrets.HARBOR_USERNAME }}
1818 password : ${{ secrets.HARBOR_PASSWORD }}
1919
20- - name : Create Python SBOM
21- run : |
22- python -m pip install --upgrade pip
23- sudo npm install -g @cyclonedx/cdxgen
24- pip install -r requirements.txt
25- cdxgen -t python -o sbom.json .
26-
27- name : Install cosign
28- run : |
29- curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
30- -o cosign
31- chmod +x cosign
32- sudo mv cosign /usr/local/bin/
20+ - name : Install Cosign
21+ uses : sigstore/cosign-installer@v3.9.2
3322
3423 - name : Install oras
3524 uses : oras-project/setup-oras@v1
@@ -43,23 +32,18 @@ jobs:
4332 docker push harbor.wizardtower.dev/museit/museit-docs:latest
4433 docker push harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA
4534
46- name : Push SBOM to Harbor
47- run : |
48- oras push harbor.wizardtower.dev/museit/museit-docs/sbom:latest \
49- --manifest-config sbom-python.json:application/json \
50- sbom-python.json:application/json
51- oras push harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA \
52- --manifest-config sbom-python.json:application/json \
53- sbom-python.json:application/json
54-
55- name : Sign SBOM with Cosign
35+ name : Sign images with Cosign
5636 env :
57- COSIGN_PASSWORD : ${{ secrets.COSIGN_PASSWORD }}
37+ COSIGN_PRIVATE_KEY : ${{ secrets.COSIGN_PRIVATE_KEY }}
5838 run : |
59- echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
6039 cosign sign \
61- --key cosign.key \
62- harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA
40+ --yes \
41+ --key env://COSIGN_PRIVATE_KEY \
42+ harbor.wizardtower.dev/museit/museit-docs:latest
43+ cosign sign \
44+ --yes \
45+ --key env://COSIGN_PRIVATE_KEY \
46+ harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA
6347
6448deploy :
6549 runs-on : [ self-hosted, linux, rke2, wizardtower ]
0 commit comments