@@ -65,18 +65,33 @@ shell:
6565 - export TRANSIT_SECRET_ENGINE_PATH= " $(cat /run/secrets/COSIGN_TRANSIT_SECRET_ENGINE_PATH)"
6666 - export ACTIONS_ID_TOKEN_REQUEST_TOKEN= " $(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)"
6767 - export ACTIONS_ID_TOKEN_REQUEST_URL= " $(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)"
68- - |
69- ACTIONS_ID_TOKEN= $ (jq -r .value <<< $ (curl -fsH " Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" " ${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) \
70- VAULT_TOKEN= " $(curl -X POST " $ {VAULT_ADDR}/v1/auth/github/login" -d '{" role" :" '$ {COSIGN_AUTH_ROLE}'" ," jwt" :" '$ {ACTIONS_ID_TOKEN}'" }' | jq -r '.auth.client_token')" \
71- cosign attest \
72- --replace \
73- --registry-username= " ${REGISTRY_USER}" \
74- --registry-password= " ${REGISTRY_PASSWORD}" \
75- --predicate /known_vulnerabilities.vex \
76- --type openvex \
77- --key hashivault://$ {COSIGN_VAULT_KEY} \
78- --tlog-upload= false \
79- -y \
68+ - >
69+ export ACTIONS_ID_TOKEN= $ (jq -r .value <<< $ (curl -fsH " Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" " ${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
70+ - >
71+ if [ -n " ${ACTIONS_ID_TOKEN}" ]; then
72+ echo " Received Actions token" ;
73+ else
74+ echo " Actions token empty" ;
75+ fi
76+ - >
77+ export VAULT_TOKEN= " $(curl -fX POST " $ {VAULT_ADDR}/v1/auth/github/login" -d '{" role" :" '$ {COSIGN_AUTH_ROLE}'" ," jwt" :" '$ {ACTIONS_ID_TOKEN}'" }' | jq -r '.auth.client_token')"
78+ - >
79+ if [ -n " ${VAULT_TOKEN}" ]; then
80+ echo " Received Vault token" ;
81+ else
82+ echo " Vault token empty" ;
83+ fi
84+ - echo " Using predicate known_vulnerabilities.vex"
85+ - >
86+ cosign attest
87+ --replace
88+ --registry-username= " ${REGISTRY_USER}"
89+ --registry-password= " ${REGISTRY_PASSWORD}"
90+ --predicate /known_vulnerabilities.vex
91+ --type openvex
92+ --key hashivault://$ {COSIGN_VAULT_KEY}
93+ --tlog-upload= false
94+ -y -d
8095 " ${IMAGE_REPO}@${IMAGE_DIGEST}"
8196 {{- end }}
8297{{- end }}
0 commit comments