Skip to content

Standalone verify reusable workflow #23

New issue
New issue
Closed
#26
Closed
Standalone verify reusable workflow#23
#26
Labels
kind/enhancementNew feature or request
@crazy-max

Description

@crazy-max
crazy-max
opened on Nov 14, 2025

Currently we show how user can verify signatures using few steps in his workflow: https://github.com/docker/github-builder-experimental/blob/93fe71762869c62a90c1f34ca0edd1bc80cfe9bc/README.md#build-reusable-workflow

  build:
    uses: docker/github-builder-experimental/.github/workflows/build.yml@main
    permissions:
      contents: read
      id-token: write # for signing attestation manifests with GitHub OIDC Token
      packages: write # needed to push images to GitHub Container Registry
    with:
      output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
      meta-images: name/app
      meta-tags: |
        type=ref,event=branch
        type=ref,event=pr
        type=semver,pattern={{version}}
      build-platforms: linux/amd64,linux/arm64
    secrets:
      registry-auths: |
        - registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

  build-verify:
    runs-on: ubuntu-latest
    if: ${{ github.event_name != 'pull_request' }}
    needs:
      - build
    steps:
      -
        name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
          cosign-release: ${{ needs.build.outputs.cosign-version }}
      -
        name: Login to registry
        uses: docker/login-action@v3
        with:
          registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Verify signatures
        uses: actions/github-script@v8
        env:
          INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.build.outputs.cosign-verify-commands }}
        with:
          script: |
            for (const cmd of core.getMultilineInput('cosign-verify-commands')) {
              await exec.exec(cmd);
            }

Or as done in our test workflow:

It would be better to provide a reusable workflow for such case like:

  build:
    uses: docker/github-builder-experimental/.github/workflows/build.yml@main
    permissions:
      contents: read
      id-token: write # for signing attestation manifests with GitHub OIDC Token
      packages: write # needed to push images to GitHub Container Registry
    with:
      output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
      meta-images: name/app
      meta-tags: |
        type=ref,event=branch
        type=ref,event=pr
        type=semver,pattern={{version}}
      build-platforms: linux/amd64,linux/arm64
    secrets:
      registry-auths: |
        - registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

  build-verify:
    if: ${{ github.event_name != 'pull_request' }}
    uses: docker/github-builder-experimental/.github/workflows/verify.yml@main
    with:
      build-outputs: ${{ toJSON(needs.build.outputs) }}

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions