Update github actions to use cosign v1.2.0 #708
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Introduce new api version helpers This makes the code a little easier to read. Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Remove comment Signed-off-by: Natalie Arellano <[email protected]> * Fix lint Signed-off-by: Natalie Arellano <[email protected]>
|
@jabrown85 any objections to putting this in the release branch? |
jabrown85
approved these changes
Sep 15, 2021
| cosign verify -key cosign.pub -a tag=${{ env.LIFECYCLE_VERSION }} buildpacksio/lifecycle:sha256-${MANIFEST_SHA}.sbom | ||
| -a tag=${{ env.LIFECYCLE_VERSION }} -attachment sbom \ | ||
| buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}@${MANIFEST_SHA} | ||
| cosign verify -key cosign.pub -a tag=${{ env.LIFECYCLE_VERSION }} -attachment sbom buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }} |
There was a problem hiding this comment.
I can't make a code suggestion because the lines didn't change, but lines 34, 38, and 42 should use jq -r .[0].critical.image.\"docker-manifest-digest\" instead of jq -r .critical.image.\"docker-manifest-digest\" because cosign 1.2.0 returns the verification as an array.
Signed-off-by: Sambhav Kothari <[email protected]>
natalieparellano
changed the base branch from
release/0.12.0-rc.1
to
release/0.12.0
natalieparellano
added a commit
that referenced
this pull request
Oct 26, 2021
* Run image should be locked to a digest in analyzed.toml (#720) * Run image should be locked to a digest in analyzed.toml Signed-off-by: Natalie Arellano <[email protected]> * Use more flexible matcher for other test Signed-off-by: Natalie Arellano <[email protected]> * Update github actions to use cosign v1.2.0 (#708) * Introduce new api version helpers (#705) * Introduce new api version helpers This makes the code a little easier to read. Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Remove comment Signed-off-by: Natalie Arellano <[email protected]> * Fix lint Signed-off-by: Natalie Arellano <[email protected]> * Update github actions to use cosign v1.2.0 Signed-off-by: Sambhav Kothari <[email protected]> Co-authored-by: Natalie Arellano <[email protected]> * Add information about buildpacksio/lifecycle (#707) * Introduce new api version helpers (#705) * Introduce new api version helpers This makes the code a little easier to read. Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Remove comment Signed-off-by: Natalie Arellano <[email protected]> * Fix lint Signed-off-by: Natalie Arellano <[email protected]> * Add information about buildpacksio/lifecycle This information should be copied to the Docker Hub repo "about" section. Signed-off-by: Natalie Arellano <[email protected]> * Small fix Signed-off-by: Natalie Arellano <[email protected]> * Small fix Signed-off-by: Natalie Arellano <[email protected]> * Update steps for verifying SBOM Signed-off-by: Natalie Arellano <[email protected]> * Update the README for platform 0.7 (#704) Signed-off-by: Natalie Arellano <[email protected]> * Fix umask race (#722) * Set umask before extracting layers to avoid race condition Signed-off-by: Natalie Arellano <[email protected]> * Add comment Signed-off-by: Natalie Arellano <[email protected]> * Update archive/extract.go Signed-off-by: Natalie Arellano <[email protected]> Co-authored-by: Anthony Emengo <[email protected]> * Don't try to set the umask outside of extract Signed-off-by: Natalie Arellano <[email protected]> * Don't try to read umask in extract Signed-off-by: Natalie Arellano <[email protected]> Co-authored-by: Anthony Emengo <[email protected]> * Buildpack api 0.7 is not supported (#726) * Buildpack api 0.7 is not supported We missed this when backing out asset packages. Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Use the correct tag when signing the sbom (#729) * Use the correct tag when signing the sbom Also there is no need to parse the digest from `crane tag` because it does not change. This will make the code less brittle. Signed-off-by: Natalie Arellano <[email protected]> * Add manifest sha when validating semver Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Ensure umask is unset when extracting archive (#727) * Ensure umask is unset when extracting archive Signed-off-by: Natalie Arellano <[email protected]> * Add test Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Get the current umask without changing it Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Fix windows Signed-off-by: Natalie Arellano <[email protected]> * Fix windows Signed-off-by: Natalie Arellano <[email protected]> * Update per review comments Signed-off-by: Natalie Arellano <[email protected]> * Less confusing wording Signed-off-by: Natalie Arellano <[email protected]> * Reduce the diff Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Added comments Signed-off-by: Natalie Arellano <[email protected]> * Better wording Signed-off-by: Natalie Arellano <[email protected]> * Add test that system umask is used to create non existent directory not in tar file Signed-off-by: Natalie Arellano <[email protected]> * Variable names and formatting Signed-off-by: Natalie Arellano <[email protected]> * Try to fix windows Signed-off-by: Natalie Arellano <[email protected]> * Avoid direct dependency on archive Signed-off-by: Natalie Arellano <[email protected]> * Make test setup simpler and update comment Signed-off-by: Natalie Arellano <[email protected]> * Add build directive Signed-off-by: Natalie Arellano <[email protected]> * Apply suggestions from code review Signed-off-by: Natalie Arellano <[email protected]> * Fix Codecov Signed-off-by: Natalie Arellano <[email protected]> * Fix lint Signed-off-by: Natalie Arellano <[email protected]> * Set Umask as part of archive.Extract Signed-off-by: Natalie Arellano <[email protected]> * Move the unlock methods to be under defer instead at the end of the function in case setUmask will panic. Signed-off-by: Natalie Arellano <[email protected]> * Bump imgutil (#731) Signed-off-by: Natalie Arellano <[email protected]> * Fix merge Signed-off-by: Natalie Arellano <[email protected]> Co-authored-by: Sambhav Kothari <[email protected]> Co-authored-by: Anthony Emengo <[email protected]> Co-authored-by: Yael Harel <[email protected]> Co-authored-by: Yael Harel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Sambhav Kothari [email protected]