File tree Expand file tree Collapse file tree 2 files changed +39
-8
lines changed Expand file tree Collapse file tree 2 files changed +39
-8
lines changed Original file line number Diff line number Diff line change @@ -15,19 +15,26 @@ jobs:
1515 uses : actions/checkout@main
1616 with :
1717 fetch-depth : 0
18+ - name : Login to DockerHub
19+ uses : docker/login-action@v2
20+ with :
21+ username : ${{ secrets.DOCKERHUB_USER }}
22+ password : ${{ secrets.DOCKERHUB_TOKEN }}
1823 - name : Install Cosign
19242025 - name : Check Cosign
2126 run : cosign version
22- - name : Cosign with OIDC
27+ - name : Get latest tag
28+ run : echo "LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1` | tr -d 'v')" >> $GITHUB_ENV
29+ - name : Get digest
2330 run : |
24- # Get the latest tag
25- LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1` | tr -d 'v')
26- # Obtain the digest from this tag
2731 DIGEST=$(curl "https://hub.docker.com/v2/repositories/snyk/snyk-universal-broker/tags/${LATEST_TAG}" | jq '.digest' -r)
28- # Sign the image, using GitHub as an OIDC provider
29- cosign sign --yes oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${DIGEST}
32+ echo "DIGEST=${DIGEST}" >> $GITHUB_ENV
33+ name : Cosign with OIDC
34+ run : |
35+ cosign sign --yes snyk/snyk-universal-broker@${DIGEST}
36+ cosign sign --yes snyk/snyk-universal-broker:${LATEST_TAG}
3037name : Verify signature
3138 run : |
32- cosign verify oci ://registry-1.docker.io /snyk/snyk-universal-broker-helm@${DIGEST}
33- cosign verify oci://registry-1.docker.io /snyk/snyk-universal-broker-helm@${LATEST_TAG}
39+ cosign verify snyk/snyk-universal-broker@${DIGEST} --certificate-identity-regexp="https ://github.com /snyk/snyk-universal-broker-helm/.*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
40+ cosign verify snyk/snyk-universal-broker:${LATEST_TAG} --certificate-identity-regexp="https://github.com /snyk/snyk-universal-broker-helm/.*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
Original file line number Diff line number Diff line change @@ -32,6 +32,30 @@ Pull the Helm Chart, and provide any configuration necessary:
3232helm pull oci://registry-1.docker.io/snyk/snyk-universal-broker
3333```
3434
35+ ### Verifying the Helm Chart
36+
37+ The Helm Chart for Snyk Universal Broker is signed with ` cosign ` . Optionally validate the Helm Chart with the following methods.
38+
39+ #### By tag
40+
41+ Replace ` x.y.z ` with the value of the tag:
42+
43+ ```
44+ cosign verify snyk/snyk-universal-broker:x.y.z \
45+ --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" \
46+ --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
47+ ```
48+
49+ #### By digest
50+
51+ Replace ` @sha256:... ` with the digest of the tag:
52+
53+ ```
54+ cosign verify snyk/snyk-universal-broker@sha256:... \
55+ --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" \
56+ --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
57+ ```
58+
3559## Basic Configuration
3660
3761### Selecting your Snyk Region
You can’t perform that action at this time.
0 commit comments