build: set cosign version and verify commands as outputs

crazy-max · crazy-max · commit 95c9483eb978 · 2025-11-12T14:30:46.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
@@ -59,6 +59,38 @@ jobs:
           username: ${{ secrets.AWS_ACCESS_KEY_ID }}
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
+  build-aws-verify:
+    runs-on: ubuntu-latest
+    needs:
+      - build-aws
+    steps:
+      -
+        name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: ${{ needs.build-aws.outputs.cosign-version }}
+      -
+        name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      -
+        name: Verify signatures
+        uses: actions/github-script@v8
+        env:
+          INPUT_COSIGN-VERSION: ${{ needs.build-aws.outputs.cosign-version }}
+          INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.build-aws.outputs.cosign-verify-commands }}
+        with:
+          script: |
+            const cosignVersion = core.getInput('cosign-version');
+            core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
+            const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
+            for (const cmd of cosignVerifyCommands) {
+              await exec(cmd);
+            }
+
   build-ghcr:
     uses: ./.github/workflows/build.yml
     permissions:
@@ -154,3 +186,12 @@ jobs:
       build-file: test/hello.Dockerfile
       build-sbom: true
       build-platforms: linux/amd64,linux/arm64
+
+  build-local-verify:
+    runs-on: ubuntu-latest
+    needs:
+      - build-local
+    steps:
+      -
+        name: Show output
+        run: echo "Image SHA is ${{ needs.call-reusable.outputs.build_sha }}"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -108,6 +108,13 @@ on:
       github-token:
         description: "GitHub Token used to authenticate against a repository for Git context"
         required: false
+    outputs:
+      cosign-version:
+        description: Cosign version used for verification
+        value: ${{ jobs.build.outputs.cosign-version }}
+      cosign-verify-commands:
+        description: Cosign verify commands
+        value: ${{ jobs.build.outputs.cosign-verify-commands }}
 
 env:
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.67.0"
@@ -117,6 +124,9 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      cosign-version: ${{ env.COSIGN_VERSION }}
+      cosign-verify-commands: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }}
     permissions:
       contents: read
       id-token: write # needed for signing the images with GitHub OIDC Token
@@ -266,6 +276,7 @@ jobs:
             await cosign.printVersion();
       -
         name: Signing attestation manifests
+        id: signing-attestation-manifests
         if: ${{ inputs.output == 'registry' }}
         uses: actions/github-script@v8
         env:
@@ -288,8 +299,19 @@ jobs:
               { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
               signResults
             );
+            
+            await core.group(`Verify commands`, async () => {
+              const verifyCommands = [];
+              for (const [attestationRef, verifyResult] of Object.entries(verifyResults)) {
+                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} ${attestationRef}`;
+                core.info(cmd);
+                verifyCommands.push(cmd);
+              }
+              core.setOutput('verify-commands', verifyCommands.join('\n'));
+            });
       -
         name: Signing local artifacts
+        id: signing-local-artifacts
         if: ${{ inputs.output == 'local' }}
         uses: actions/github-script@v8
         env:
@@ -309,6 +331,16 @@ jobs:
               { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
               signResults
             );
+            
+            await core.group(`Verify commands`, async () => {
+              const verifyCommands = [];
+              for (const [artifactPath, verifyResult] of Object.entries(verifyResults)) {
+                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} --bundle ${path.relative(inplocalExportDir, verifyResult.bundlePath)} ${path.relative(inplocalExportDir, artifactPath)}`;
+                core.info(cmd);
+                verifyCommands.push(cmd);
+              }
+              core.setOutput('verify-commands', verifyCommands.join('\n'));
+            });
       -
         name: Create manifest
         if: ${{ inputs.output == 'registry' }}
