These actions exist to further automate the usage of sigstore's 'cosign'.
The 'sign' action signs the target container(s) using a private key stored as a repository secret. It is the private key generated by 'cosign' when creating a key pair.
Example implementation for GHCR:
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Sign container with Cosign
steps:
- name: Sign container
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: silverblue-main, kinoite-main
registry: ghcr.io/ublue-os
registry-token: ${{ secrets.GITHUB_TOKEN }}
signing-secret: ${{ secrets.SIGNING_SECRET }}
tags: latestThe 'verify' action validates the target containers' signature via the public key. For example, for Universal Blue, this is the cosign.pub file stored in the root of all image repositories.
Example implementation for verifying against a public key:
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Verify container with Cosign
steps:
- name: Verify container
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: silverblue-main:latest, kinoite-main:latest
registry: ghcr.io/ublue-os
pubkey: https://raw.githubusercontent.com/ublue-os/main/main/cosign.pubExample implementation for verifying against a certificate:
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Verify container with Cosign
steps:
- name: Verify container
uses: EyeCantCU/cosign-action/[email protected]
with:
containers: bash, busybox, caddy
registry: cgr.dev/chainguard
cert-identity: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
oidc-issuer: https://token.actions.githubusercontent.comWhile not recommended, you may also opt to fail verification silently without disrupting your workflow by setting fail-silently: 'true'.