Skip to content

fix(ci): cosign digest only#58

Open
scrocquesel wants to merge 1 commit intoprojectbluefin:mainfrom
scrocquesel:ci/cosign
Open

fix(ci): cosign digest only#58
scrocquesel wants to merge 1 commit intoprojectbluefin:mainfrom
scrocquesel:ci/cosign

Conversation

@scrocquesel
Copy link
Copy Markdown

@scrocquesel scrocquesel commented Feb 16, 2026

No description provided.

@dosubot dosubot bot added size:XS This PR changes 0-9 lines, ignoring generated files. bug Something isn't working labels Feb 16, 2026
@agriffis
Copy link
Copy Markdown

agriffis commented Mar 15, 2026

@scrocquesel I'm curious about this PR but lacking context. Can you elaborate on what this fixes?

agriffis added a commit to agriffis/finicky that referenced this pull request Mar 15, 2026
@agriffis
fix(ci): cosign digest only
fb3238d 
from projectbluefin/finpilot#58
@scrocquesel
Copy link
Copy Markdown
Author

scrocquesel commented Mar 15, 2026

Images should be signed off their digest not their tag, otherwise, the build shows

WARNING: Image reference ghcr.io/joaopfusco/bluenix:latest uses a tag, not a digest, to identify the image to sign.
    This can lead you to sign a different image than the intended one. Please use a
    digest (example.com/ubuntu@sha256:abc123...) rather than tag
    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
    images by tag will be removed in a future release.

The digest is what it is passed from the output of the push step but the step still use the output from metadata.

TBH, I was a bit lazy and the env var TAGS should be renamed to clearly show the intent.

@agriffis
Copy link
Copy Markdown

agriffis commented Mar 15, 2026

@scrocquesel This patch fails when I try to use it on my build. Any idea what I'm missing?

image

@scrocquesel
Copy link
Copy Markdown
Author

scrocquesel commented Mar 15, 2026

The image name is with colon, are you sure you keep only the line with @

LorbusChris
LorbusChris suggested changes Mar 15, 2026
View reviewed changes
.github/workflows/build.yml
# done
# cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL@${TAGS}
# env:
# TAGS: ${{ steps.push.outputs.digest }}
Copy link
Copy Markdown
Contributor

@LorbusChris LorbusChris Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# TAGS: ${{ steps.push.outputs.digest }}
# DIGEST: ${{ steps.push.outputs.digest }}

.github/workflows/build.yml
# for tag in ${{ steps.metadata.outputs.tags }}; do
# cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL:$tag
# done
# cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL@${TAGS}
Copy link
Copy Markdown
Contributor

@LorbusChris LorbusChris Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL@${TAGS}
# cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE_FULL@${DIGEST}

@agriffis
Copy link
Copy Markdown

agriffis commented Mar 15, 2026

The image name is with colon, are you sure you keep only the line with @

🤦‍♂️

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@LorbusChris LorbusChris LorbusChris requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scrocquesel @agriffis @LorbusChris