Add support for signing with Sigstore

Fixes: redhat-actions#89
travier · Nov 24, 2023 · e59e7ad · e59e7ad
1 parent 9986a65
commit e59e7ad
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/src/generated/inputs-outputs.ts b/src/generated/inputs-outputs.ts
@@ -52,6 +52,12 @@ export enum Inputs {
      * Default: None.
      */
     USERNAME = "username",
+    /**
+     * Sigstore private key to use to sign container images
+     * Required: false
+     * Default: None.
+     */
+    SIGSTORE_PRIVATE_KEY = "sigstore-private-key",
 }
 
 export enum Outputs {

diff --git a/src/index.ts b/src/index.ts
@@ -209,6 +209,18 @@ async function run(): Promise<void> {
         }
     }
 
+    const sigstorePrivateKey = core.getInput(Inputs.SIGSTORE_PRIVATE_KEY);
+    const sigstorePrivateKeyFile = path.join(process.env.RUNNER_TEMP, 'sigstore_private_key');
+    if (sigstorePrivateKey) {
+        // Write sigstore private key to a temporary file in $RUNNER_TEMP that
+        // will be removed after the image is pushed.
+        try {
+            await fs.promises.writeFile(sigstorePrivateKeyFile, sigstorePrivateKey);
+        } catch (err) {
+            throw new Error(`Could not write sigstore private key to temporary file "${sigstorePrivateKeyFile}": ${err}`);
+        }
+    }
+
     let pushMsg = `⏳ Pushing "${sourceImages.join(", ")}" to "${destinationImages.join(", ")}" respectively`;
     if (username) {
         pushMsg += ` as "${username}"`;
@@ -269,11 +281,23 @@ async function run(): Promise<void> {
             args.push(`--creds=${creds}`);
         }
 
+        if (sigstorePrivateKey) {
+            args.push("--sign-by-sigstore-private-key");
+            args.push(sigstorePrivateKeyFile);
+        }
+
         await execute(await getPodmanPath(), args);
         core.info(`✅ Successfully pushed "${sourceImages[i]}" to "${destinationImages[i]}"`);
 
         registryPathList.push(destinationImages[i]);
 
+        try {
+            await fs.promises.unlink(sigstorePrivateKeyFile);
+        }
+        catch (err) {
+            core.warning(`Failed to remove temporary file used to store sigstore private key "${sigstorePrivateKeyFile}": ${err}`);
+        }
+
         try {
             const digest = (await fs.promises.readFile(digestFile)).toString();
             core.info(digest);