pi-farm/test2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix cosign
Some checks failed
Docker Build Smart Logic / Build amd64 & arm64 (push) Failing after 23s
Details

Browse Source
This commit is contained in:
info@pi-farm.de
2026-02-10 00:16:17 +01:00
parent 907063577e
commit 9ad38d941b
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.gitea/workflows/docker-builder.yml
View File

@@ -257,11 +257,11 @@ jobs:
env: env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# Das hier schaltet den OCI 1.1 Modus frei
COSIGN_EXPERIMENTAL: 1 COSIGN_EXPERIMENTAL: 1
run: | run: |
set -euo pipefail set -euo pipefail
# 1. Image Namen festlegen
if [[ "$IS_TAG" == "true" ]]; then if [[ "$IS_TAG" == "true" ]]; then
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}" IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
else else
@@ -269,13 +269,20 @@ jobs:
fi fi
echo "Signing image: $IMAGE_TO_SIGN" echo "Signing image: $IMAGE_TO_SIGN"
# 2. Key aus Secret erstellen
echo "$COSIGN_PRIVATE_KEY" > cosign.key echo "$COSIGN_PRIVATE_KEY" > cosign.key
# Signieren mit Referrers-Mode # 3. Eine minimale Signing-Config ohne Transparency Log erstellen
# Wenn dein Gitea aktuell genug ist, verschwinden die sha256-Tags damit! # Das ersetzt das alte --tlog-upload=false
echo '{"version":"v0.1","transparencyLog":{}}' > signing-config.json
# 4. Signieren mit der neuen Config
# Wir nutzen --signing-config anstatt --tlog-upload
cosign sign --yes --recursive --key cosign.key \ cosign sign --yes --recursive --key cosign.key \
--tlog-upload=false \ --signing-config signing-config.json \
--registry-referrers-mode oci-1-1 \ --registry-referrers-mode oci-1-1 \
"${IMAGE_TO_SIGN}" "${IMAGE_TO_SIGN}"
rm -f cosign.key # 5. Aufräumen
rm -f cosign.key signing-config.json