From 78886c7e990239273b414a2d062814c3e61e5e5e Mon Sep 17 00:00:00 2001 From: Kennedy Bushnell Date: Wed, 22 Apr 2026 10:03:33 -0700 Subject: [PATCH 1/2] remove deprecated rekor-url flag from cosign verify call --- .github/workflows/build.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9681a9b..5d34600 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -242,21 +242,21 @@ jobs: docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64") }}' echo "::endgroup::" - # - name: Verify cosign signatures - # run: | - # echo "::group::Verify signature (DockerHub)" - # cosign verify --rekor-url https://rekor.sigstore.dev \ - # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ - # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - # ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} - # echo "::endgroup::" - - # echo "::group::Verify signature (GitHub Container Registry)" - # cosign verify --rekor-url https://rekor.sigstore.dev \ - # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ - # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - # ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} - # echo "::endgroup::" + - name: Verify cosign signatures + run: | + echo "::group::Verify signature (DockerHub)" + cosign verify \ + --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} + echo "::endgroup::" + + echo "::group::Verify signature (GitHub Container Registry)" + cosign verify \ + --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} + echo "::endgroup::" argocd: if: github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main') From 7139d1363618ff166bb9f6bad64f9853e6e632fb Mon Sep 17 00:00:00 2001 From: Kennedy Bushnell Date: Wed, 22 Apr 2026 10:08:01 -0700 Subject: [PATCH 2/2] apply permissions per job rather than for the workflow to reduce blast radius --- .github/workflows/build.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5d34600..19ae502 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,12 +13,6 @@ on: types: [published] workflow_dispatch: -permissions: - attestations: write - contents: read - id-token: write - packages: write - concurrency: group: build-${{ github.workflow }}-${{ github.ref }} @@ -28,6 +22,12 @@ jobs: runs-on: ${{ matrix.runner }} if: github.event_name != 'pull_request' + permissions: + attestations: write + contents: read + id-token: write + packages: write + strategy: fail-fast: false matrix: @@ -131,6 +131,12 @@ jobs: needs: - build + permissions: + attestations: write + contents: read + id-token: write + packages: write + outputs: docker_build_digest: ${{ steps.docker_build.outputs.digest }} docker_meta_version: ${{ steps.docker_meta.outputs.version }} @@ -261,6 +267,7 @@ jobs: argocd: if: github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main') runs-on: ubuntu-latest + permissions: {} needs: - build - manifest