diff --git a/.github/actions/publish-image/action.yaml b/.github/actions/publish-image/action.yaml index 74abf7094d..368531c186 100644 --- a/.github/actions/publish-image/action.yaml +++ b/.github/actions/publish-image/action.yaml @@ -66,11 +66,10 @@ runs: - shell: bash if: ${{ inputs.sign-image == 'true' }} env: - COSIGN_EXPERIMENTAL: 'true' COSIGN_REPOSITORY: ${{ inputs.signature-repository }} run: | set -e - cosign sign \ + cosign sign --yes \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 67b6a6ec3d..b4626d4da5 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -59,8 +59,6 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 - with: - cosign-release: 'v1.13.0' - name: Set version run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV @@ -93,8 +91,6 @@ jobs: helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - name: Publish OCI Charts - env: - COSIGN_EXPERIMENTAL: 1 run: | for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do chart=${dir##*/} @@ -102,5 +98,5 @@ jobs: helm package charts-tmp/${chart} --destination .dist helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - cosign sign ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') + cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') done diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml index edc6fc855e..9abbbf3a43 100644 --- a/.github/workflows/images-publish.yaml +++ b/.github/workflows/images-publish.yaml @@ -42,8 +42,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Install Cosign uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 - with: - cosign-release: 'v1.13.0' - name: Publish kyverno id: publish-kyverno uses: ./.github/actions/publish-image diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d48bca18f8..6d1d06fb15 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -37,8 +37,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Install Cosign uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 - with: - cosign-release: 'v1.13.0' - name: Publish kyverno id: release-kyverno uses: ./.github/actions/publish-image @@ -234,8 +232,6 @@ jobs: - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 - name: Install Cosign uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 - with: - cosign-release: 'v1.13.0' - name: Make Release env: VERSION: ${{ github.ref_name }} @@ -270,8 +266,6 @@ jobs: version: 0.35.0 - name: Install Cosign uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 - with: - cosign-release: 'v1.13.0' - name: Build yaml manifest run: VERSION=${{ github.ref_name }} make codegen-manifest-release - name: Upload install manifest @@ -307,10 +301,8 @@ jobs: --source="$(git config --get remote.origin.url)" \ --revision="${{ github.ref_name }}/$(git rev-parse HEAD)" - name: Sign manifests in GHCR with Cosign - env: - COSIGN_EXPERIMENTAL: 1 run: | - cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} + cosign sign --yes ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} release-cli-via-krew: runs-on: ubuntu-latest