Closed JohnGarbutt closed 7 months ago
Give the pipeline id-token permissions, so the action can automatically sign the container images.
As an example, you can verify the signature like this:
cosign verify ghcr.io/stackhpc/azimuth-caas-operator:3ec0b58 \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity-regexp="https://github.com/stackhpc/azimuth-caas-operator/.github/.*"
Give the pipeline id-token permissions, so the action can automatically sign the container images.
As an example, you can verify the signature like this: