Open xynydev opened 8 months ago
Lowercase registry is being fixed here: https://github.com/blue-build/cli/pull/8
Should the image verification be implemented here with EyeCantCU's action (easy), or in cli?
Should the image verification be implemented here with EyeCantCU's action (easy), or in cli?
If it just involves inspecting it for a label, we can totally do that in the tool. Plus I'll need that to make sure we're using the right version number on the image instead of latest
FYI, not only is base image verification needed but also custom base image verification, if using EyeCantCU's action:
- name: Verify base image
if: ${{ ! contains(env.IMAGE_NAME, 'wayblue') }}
uses: EyeCantCU/cosign-action/verify@v0.2.2
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
- name: Verify base image
if: ${{ contains(env.IMAGE_NAME, 'wayblue') }}
uses: EyeCantCU/cosign-action/verify@v0.2.2
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
registry: 'ghcr.io/wayblueorg'
pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub'
Regardless, the registry and pubkey need to be available as parameters.
I could implement this based on EyeCantCU's PR on startingpoint first, since this isn't a priority to implement in cli.
We should probably have a list of keys to verify against by default, at least ublue and upstream fedora and vanilla (if those use cosign, haven't checked yet). I'm also unsure how to handle OIDC here.
Are these things, that are in the the startingpoint action, missing from here, or are they implemented in blue-build/cli (@gmpinder) ?