diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 11a9789..0d604ea 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -12,6 +12,9 @@ on: description: "Registry authentication details as YAML objects" required: false +env: + DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.71.0" + jobs: verify: runs-on: ubuntu-24.04 @@ -44,12 +47,37 @@ jobs: core.setOutput('artifact-name', artifactName); core.setOutput('output-type', outputType); core.setOutput('signed', signed); + - + name: Install @docker/actions-toolkit + if: ${{ steps.vars.outputs.signed == 'true' }} + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} + with: + script: | + await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]); - name: Install Cosign if: ${{ steps.vars.outputs.signed == 'true' }} - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_COSIGN-VERSION: ${{ steps.vars.outputs.cosign-version }} with: - cosign-release: ${{ steps.vars.outputs.cosign-version }} + script: | + const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign'); + const { Install } = require('@docker/actions-toolkit/lib/cosign/install'); + + const cosignInstall = new Install(); + const cosignBinPath = await cosignInstall.download({ + version: core.getInput('cosign-version'), + ghaNoCache: true, + skipState: true, + verifySignature: true + }); + await cosignInstall.install(cosignBinPath); + + const cosign = new Cosign(); + await cosign.printVersion(); - name: Login to registry if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'image' }}