test signing and publishing of image

mickmis · mickmis · commit a5aa4af48d51 · 2026-03-31T18:37:03.000+02:00
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
@@ -6,14 +6,16 @@
 
 name: Publish monitoring image to Docker Registry (on new release tag)
 on:
-  push:
-    tags:
-      # To modify to trigger the job for fork's releases
-      # Note: GitHub's filter pattern capabilities are limited[1], so this
-      # pattern matches more often than it should.  A more correct regex would
-      # be the one found in scripts/tag.sh.
-      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
-      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
+  pull_request: # TODO: added for testing purposes, remove me before merging
+# TODO: commented out for testing purposes, restore me before merging
+#  push:
+#    tags:
+#      # To modify to trigger the job for fork's releases
+#      # Note: GitHub's filter pattern capabilities are limited[1], so this
+#      # pattern matches more often than it should.  A more correct regex would
+#      # be the one found in scripts/tag.sh.
+#      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
+#      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
 permissions:
   contents: read
 jobs:
@@ -28,8 +30,6 @@ jobs:
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
-        with:
-          cosign-release: 'v2.6.1'
       - name: Job information
         run: |
           echo "Job information"
@@ -56,7 +56,7 @@ jobs:
       - name: Build, push and sign image
         env:
           DOCKER_URL: ${{ secrets.DOCKER_URL }}
-          DOCKER_UPDATE_LATEST: true
+          DOCKER_UPDATE_LATEST: false # TODO: changed for testing purposes, revert me to 'true' before merging
           DOCKER_SIGN: true
           CERT_IDENTITY: https://github.com/${{ github.workflow_ref }}
           CERT_ISSUER: https://token.actions.githubusercontent.com
diff --git a/build/build_and_push.sh b/build/build_and_push.sh
@@ -27,7 +27,8 @@ else
 fi
 cd "${BASEDIR}"
 
-VERSION=$(./scripts/git/version.sh monitoring)
+VERSION=cosign-test # TODO: hardcoded for testing purposes, remove me before merging
+#VERSION=$(./scripts/git/version.sh monitoring)
 LATEST_TAG="latest"
 
 if [[ -z "${DOCKER_URL}" ]]; then
@@ -50,10 +51,11 @@ else
     # We sign only the first digest of the image. We don't expect multiple ones as we are building for a single architecture.
     DIGEST=$(docker image inspect --format='{{index .RepoDigests 0}}' "${TAG}")
     echo "Signing docker image ${TAG} (digest: ${DIGEST})..."
-    cosign sign --yes "${DIGEST}"
+    cosign sign -d --yes "${DIGEST}"
+    sleep 30
 
-    echo "Verifying signature of docker image ${TAG} (digest: ${DIGEST})..."
-    cosign verify "${DIGEST}" --certificate-identity="${CERT_IDENTITY}" --certificate-oidc-issuer="${CERT_ISSUER}"
+    echo "Verifying locally signature of docker image ${TAG} (digest: ${DIGEST})..."
+    cosign verify -d --certificate-identity="${CERT_IDENTITY}" --certificate-oidc-issuer="${CERT_ISSUER}" "${DIGEST}"
 
     echo "Signed and verified signature of docker image ${TAG} (digest: ${DIGEST})..."
 
