CI: Verify base image signature before build

This commit is contained in:
SebClem 2024-09-12 09:39:13 +02:00
parent 219dc004da
commit c884226819
Signed by: sebclem
GPG Key ID: 5A4308F6A359EA50

View File

@ -13,6 +13,8 @@ env:
IMAGE: "hassio-nextcloud-backup" IMAGE: "hassio-nextcloud-backup"
REPOSITORY: ghcr.io/sebclem REPOSITORY: ghcr.io/sebclem
IMAGE_SOURCE: https://github.com/Sebclem/hassio-nextcloud-backup IMAGE_SOURCE: https://github.com/Sebclem/hassio-nextcloud-backup
BASE_ISSUER: https://token.actions.githubusercontent.com
BASE_IDENTITY: https://github.com/home-assistant/docker-base/.*
permissions: write-all permissions: write-all
@ -120,6 +122,9 @@ jobs:
echo "url=$(yq .url nextcloud_backup/config.yml)" >> $GITHUB_OUTPUT echo "url=$(yq .url nextcloud_backup/config.yml)" >> $GITHUB_OUTPUT
echo "build_from=ghcr.io/home-assistant/${{ matrix.arch }}-base:$(cat nextcloud_backup/.base_version)" >> $GITHUB_OUTPUT echo "build_from=ghcr.io/home-assistant/${{ matrix.arch }}-base:$(cat nextcloud_backup/.base_version)" >> $GITHUB_OUTPUT
- name: Check base image signature
run: cosign verify --certificate-oidc-issuer-regexp "${{ env.BASE_ISSUER }}" --certificate-identity-regexp "${{ env.BASE_IDENTITY }}" "${{ steps.build_param.outputs['build_from'] }}"
- name: Docker meta - name: Docker meta
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5