Skip to content

Commit 2107f17

Browse files
authored
feat(source-commit): Update source-commit to enforce signature verification (#2665)
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
1 parent 49466dd commit 2107f17

6 files changed

Lines changed: 10 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,9 @@ jobs:
4444
if: ${{ github.event_name != 'pull_request' }}
4545
run: |
4646
chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT
47+
env:
48+
# Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
49+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4750

4851
- name: Set up Go
4952
uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1

.github/workflows/contracts/chainloop-vault-codeql.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ spec:
1616
- ref: source-commit
1717
with:
1818
check_signature: yes
19+
check_author_verified: yes
1920
requirements:
2021
- chainloop-best-practices/commit-signed
2122
policyGroups:

.github/workflows/contracts/chainloop-vault-helm-package.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ spec:
2222
- ref: source-commit
2323
with:
2424
check_signature: yes
25+
check_author_verified: yes
2526
requirements:
2627
- chainloop-best-practices/commit-signed
2728
materials:

.github/workflows/contracts/chainloop-vault-release.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ spec:
1010
- ref: source-commit
1111
with:
1212
check_signature: yes
13+
check_author_verified: yes
1314
requirements:
1415
- chainloop-best-practices/commit-signed
1516
- ref: containers-with-sbom

.github/workflows/package_chart.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,8 @@ jobs:
9090
env:
9191
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_KEY}}
9292
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
93+
# Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
94+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
9395

9496
- name: Finish and Record Attestation
9597
if: ${{ success() }}

.github/workflows/release.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ jobs:
3737
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
3838
CHAINLOOP_WORKFLOW_NAME: "release"
3939
CHAINLOOP_PROJECT_NAME: "chainloop"
40+
# Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
41+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4042

4143
release:
4244
name: Release CLI and control-plane/artifact-cas container images

0 commit comments

Comments
 (0)