removes attestation verification from the workflows
Attestation verification requires the base image to be owned by VanillaOS. This should not be required.
This commit is contained in:
Tau
K.B.Dharun Krishna
parent
4a328a31ef
commit
b54a77181b
2 changed files with 1 additions and 50 deletions
25
.github/workflows/release.yml
vendored
25
.github/workflows/release.yml
vendored
|
|
@ -11,33 +11,8 @@ env:
|
||||||
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
verify-image:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
run: sudo apt-get install -y libfyaml-utils
|
|
||||||
|
|
||||||
- name: Read base image name from recipe
|
|
||||||
id: read_base_recipe
|
|
||||||
run: |
|
|
||||||
BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
|
|
||||||
echo The base image is $BASE_IMAGE
|
|
||||||
if [ -z $BASE_IMAGE ]; then exit 1; fi
|
|
||||||
echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
|
|
||||||
echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"
|
|
||||||
|
|
||||||
- name: Verify Base Image Integrity
|
|
||||||
run: |
|
|
||||||
gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ github.token }}
|
|
||||||
|
|
||||||
release:
|
release:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: verify-image
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write # Allow actions to create release
|
contents: write # Allow actions to create release
|
||||||
attestations: write # To create and write attestations
|
attestations: write # To create and write attestations
|
||||||
|
|
|
||||||
26
.github/workflows/vib-build.yml
vendored
26
.github/workflows/vib-build.yml
vendored
|
|
@ -15,30 +15,6 @@ env:
|
||||||
BUILDX_NO_DEFAULT_ATTESTATIONS: 1
|
BUILDX_NO_DEFAULT_ATTESTATIONS: 1
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
verify_image:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
run: sudo apt-get install -y libfyaml-utils
|
|
||||||
|
|
||||||
- name: Read base image name from recipe
|
|
||||||
id: read_base_recipe
|
|
||||||
run: |
|
|
||||||
BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
|
|
||||||
echo The base image is $BASE_IMAGE
|
|
||||||
if [ -z $BASE_IMAGE ]; then exit 1; fi
|
|
||||||
echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
|
|
||||||
echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"
|
|
||||||
|
|
||||||
- name: Verify Base Image Integrity
|
|
||||||
run: |
|
|
||||||
gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ github.token }}
|
|
||||||
|
|
||||||
check_update:
|
check_update:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
|
@ -115,7 +91,7 @@ jobs:
|
||||||
|
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [check_update, verify_image]
|
needs: check_update
|
||||||
if: ${{ needs.check_update.outputs.has_updates == 'true' }}
|
if: ${{ needs.check_update.outputs.has_updates == 'true' }}
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue