Skip to content

Commit 818d5da

Browse files
committed
[ci] Increase attestation verbosity
Signed-off-by: Vladimir Portnov <vladimir.portnov@flant.com>
1 parent c4df4e6 commit 818d5da

2 files changed

Lines changed: 54 additions & 24 deletions

File tree

.werf/defines/trivyignore.tmpl

Lines changed: 27 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -59,18 +59,33 @@ shell:
5959
- export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/COSIGN_TRANSIT_SECRET_ENGINE_PATH)"
6060
- export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)"
6161
- export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)"
62-
- |
63-
ACTIONS_ID_TOKEN=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) \
64-
VAULT_TOKEN="$(curl -X POST "${VAULT_ADDR}/v1/auth/github/login" -d '{"role":"'${COSIGN_AUTH_ROLE}'","jwt":"'${ACTIONS_ID_TOKEN}'"}' | jq -r '.auth.client_token')" \
65-
cosign attest \
66-
--replace \
67-
--registry-username="${REGISTRY_USER}" \
68-
--registry-password="${REGISTRY_PASSWORD}" \
69-
--predicate /.trivyignore.yaml \
70-
--type custom \
71-
--key hashivault://${COSIGN_VAULT_KEY} \
72-
--tlog-upload=false \
73-
-y \
62+
- >
63+
export ACTIONS_ID_TOKEN=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
64+
- >
65+
if [ -n "${ACTIONS_ID_TOKEN}" ]; then
66+
echo "Received Actions token";
67+
else
68+
echo "Actions token empty";
69+
fi
70+
- >
71+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/github/login" -d '{"role":"'${COSIGN_AUTH_ROLE}'","jwt":"'${ACTIONS_ID_TOKEN}'"}' | jq -r '.auth.client_token')"
72+
- >
73+
if [ -n "${VAULT_TOKEN}" ]; then
74+
echo "Received Vault token";
75+
else
76+
echo "Vault token empty";
77+
fi
78+
- echo "Using predicate .trivyignore.yaml"
79+
- >
80+
cosign attest
81+
--replace
82+
--registry-username="${REGISTRY_USER}"
83+
--registry-password="${REGISTRY_PASSWORD}"
84+
--predicate /.trivyignore.yaml
85+
--type custom
86+
--key hashivault://${COSIGN_VAULT_KEY}
87+
--tlog-upload=false
88+
-y -d
7489
"${IMAGE_REPO}@${IMAGE_DIGEST}"
7590
{{- end }}
7691
{{- end }}

.werf/defines/vex.tmpl

Lines changed: 27 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -65,18 +65,33 @@ shell:
6565
- export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/COSIGN_TRANSIT_SECRET_ENGINE_PATH)"
6666
- export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)"
6767
- export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)"
68-
- |
69-
ACTIONS_ID_TOKEN=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) \
70-
VAULT_TOKEN="$(curl -X POST "${VAULT_ADDR}/v1/auth/github/login" -d '{"role":"'${COSIGN_AUTH_ROLE}'","jwt":"'${ACTIONS_ID_TOKEN}'"}' | jq -r '.auth.client_token')" \
71-
cosign attest \
72-
--replace \
73-
--registry-username="${REGISTRY_USER}" \
74-
--registry-password="${REGISTRY_PASSWORD}" \
75-
--predicate /known_vulnerabilities.vex \
76-
--type openvex \
77-
--key hashivault://${COSIGN_VAULT_KEY} \
78-
--tlog-upload=false \
79-
-y \
68+
- >
69+
export ACTIONS_ID_TOKEN=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
70+
- >
71+
if [ -n "${ACTIONS_ID_TOKEN}" ]; then
72+
echo "Received Actions token";
73+
else
74+
echo "Actions token empty";
75+
fi
76+
- >
77+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/github/login" -d '{"role":"'${COSIGN_AUTH_ROLE}'","jwt":"'${ACTIONS_ID_TOKEN}'"}' | jq -r '.auth.client_token')"
78+
- >
79+
if [ -n "${VAULT_TOKEN}" ]; then
80+
echo "Received Vault token";
81+
else
82+
echo "Vault token empty";
83+
fi
84+
- echo "Using predicate known_vulnerabilities.vex"
85+
- >
86+
cosign attest
87+
--replace
88+
--registry-username="${REGISTRY_USER}"
89+
--registry-password="${REGISTRY_PASSWORD}"
90+
--predicate /known_vulnerabilities.vex
91+
--type openvex
92+
--key hashivault://${COSIGN_VAULT_KEY}
93+
--tlog-upload=false
94+
-y -d
8095
"${IMAGE_REPO}@${IMAGE_DIGEST}"
8196
{{- end }}
8297
{{- end }}

0 commit comments

Comments
 (0)