Skip to content

Commit

Permalink
While working on #267 noticed this, but didn't want to bake into it. (#…
Browse files Browse the repository at this point in the history 
…268)

* While working on #267 noticed this, but didn't want to bake into it.

Signed-off-by: Ville Aikas <[email protected]>

* Forgot one change, thanks @mattmoor :)

Signed-off-by: Ville Aikas <[email protected]>
  • Loading branch information
@vaikas
vaikas authored Dec 9, 2021
1 parent f4746cc commit 6c2a20b
Showing 1 changed file with 10 additions and 19 deletions.
29 changes: 10 additions & 19 deletions .github/workflows/verify-k8s.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,36 +189,27 @@ jobs:
automountServiceAccountToken: false
containers:
- name: check-oidc
# This is a version of the cosign image published from CI with https://github.com/sigstore/cosign/pull/955
# TODO(mattmoor): Switch this to a release build after 1.3
image: gcr.io/projectsigstore/cosign/ci/cosign:46e274094551d5b29bd89eaa6499c0f39e60db2f
command: [/busybox/sh, -c]
args:
- |
/ko-app/cosign sign \
`# Target our cluster's Fulcio` \
--fulcio-url http://fulcio-server.fulcio-dev.svc \
`# Pass in the KinD OIDC token` \
--identity-token \$(cat /var/run/kind-oidc/token) \
`# Skip verification of the SCT since we've disabled that above.` \
--insecure-skip-verify=true \
`# Skip upload because we can't avoid Rekor on that path.` \
--upload=false \
${DIGEST}
image: gcr.io/projectsigstore/cosign:v1.4.0
args: [
"sign",
"--fulcio-url=http://fulcio-server.fulcio-dev.svc",
"--insecure-skip-verify=true",
"--upload=false",
"${DIGEST}",
]
env:
- name: COSIGN_EXPERIMENTAL
value: "true"
volumeMounts:
- name: oidc-info
mountPath: /var/run/kind-oidc
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: token
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
EOF
Expand Down

0 comments on commit 6c2a20b

Please sign in to comment.