Skip to content

Commit

Permalink
removes attestation verification from the workflows
Browse files Browse the repository at this point in the history 
Attestation verification requires the base image to be owned by VanillaOS.
This should not be required.
  • Loading branch information
@taukakao @kbdharun
taukakao authored and kbdharun committed Nov 7, 2024
1 parent 4a328a3 commit b54a771
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 50 deletions.
25 changes: 0 additions & 25 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,8 @@ env:
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

jobs:
verify-image:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Install dependencies
run: sudo apt-get install -y libfyaml-utils

- name: Read base image name from recipe
id: read_base_recipe
run: |
BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
echo The base image is $BASE_IMAGE
if [ -z $BASE_IMAGE ]; then exit 1; fi
echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"
- name: Verify Base Image Integrity
run: |
gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}

release:
runs-on: ubuntu-latest
needs: verify-image
permissions:
contents: write # Allow actions to create release
attestations: write # To create and write attestations
Expand Down
26 changes: 1 addition & 25 deletions .github/workflows/vib-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,30 +15,6 @@ env:
BUILDX_NO_DEFAULT_ATTESTATIONS: 1

jobs:
verify_image:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Install dependencies
run: sudo apt-get install -y libfyaml-utils

- name: Read base image name from recipe
id: read_base_recipe
run: |
BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
echo The base image is $BASE_IMAGE
if [ -z $BASE_IMAGE ]; then exit 1; fi
echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"
- name: Verify Base Image Integrity
run: |
gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}

check_update:
runs-on: ubuntu-latest

Expand Down Expand Up @@ -115,7 +91,7 @@ jobs:
build:
runs-on: ubuntu-latest
needs: [check_update, verify_image]
needs: check_update
if: ${{ needs.check_update.outputs.has_updates == 'true' }}

permissions:
Expand Down

0 comments on commit b54a771

Please sign in to comment.