ci(fix): temporary removing cosign verification#564
Conversation
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #564 +/- ##
=======================================
Coverage 79.44% 79.44%
=======================================
Files 22 22
Lines 2807 2807
=======================================
Hits 2230 2230
Misses 439 439
Partials 138 138 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR temporarily disables cosign signature verification in the CI build pipeline by commenting out the verification step. The signing process remains active, but the verification that would validate those signatures is being removed.
- Cosign verification step for both DockerHub and GitHub Container Registry is commented out
- Images continue to be signed via cosign but are no longer verified in the pipeline
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # - name: Verify cosign signatures | ||
| # run: | | ||
| # echo "::group::Verify signature (DockerHub)" | ||
| # cosign verify --rekor-url https://rekor.sigstore.dev \ | ||
| # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | ||
| # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | ||
| # ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | ||
| # echo "::endgroup::" | ||
|
|
||
| # echo "::group::Verify signature (GitHub Container Registry)" | ||
| # cosign verify --rekor-url https://rekor.sigstore.dev \ | ||
| # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | ||
| # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | ||
| # ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | ||
| # echo "::endgroup::" |
There was a problem hiding this comment.
Since this is a temporary removal (as indicated by the PR title), consider adding a TODO comment with a tracking issue or explanation. This will help ensure the verification step is re-enabled in the future and provide context for why it was temporarily disabled.
Example:
# TODO: Re-enable cosign verification once [issue/reason] is resolved
# Temporarily disabled due to [specific reason]
# - name: Verify cosign signatures| # - name: Verify cosign signatures | ||
| # run: | | ||
| # echo "::group::Verify signature (DockerHub)" | ||
| # cosign verify --rekor-url https://rekor.sigstore.dev \ | ||
| # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | ||
| # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | ||
| # ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | ||
| # echo "::endgroup::" | ||
|
|
||
| # echo "::group::Verify signature (GitHub Container Registry)" | ||
| # cosign verify --rekor-url https://rekor.sigstore.dev \ | ||
| # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | ||
| # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | ||
| # ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | ||
| # echo "::endgroup::" |
There was a problem hiding this comment.
Commenting out the verification step while keeping the signing step (lines 214-220) creates an inconsistency in the CI pipeline. Images are still being signed but the signatures are no longer being verified, which defeats the purpose of signing.
If verification is causing issues, consider whether the signing step should also be temporarily disabled, or ensure there's a plan to re-enable verification soon to maintain the security benefits of the signing process.
| # - name: Verify cosign signatures | |
| # run: | | |
| # echo "::group::Verify signature (DockerHub)" | |
| # cosign verify --rekor-url https://rekor.sigstore.dev \ | |
| # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | |
| # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| # ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| # echo "::endgroup::" | |
| # echo "::group::Verify signature (GitHub Container Registry)" | |
| # cosign verify --rekor-url https://rekor.sigstore.dev \ | |
| # --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | |
| # --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| # ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| # echo "::endgroup::" | |
| - name: Verify cosign signatures | |
| run: | | |
| echo "::group::Verify signature (DockerHub)" | |
| cosign verify --rekor-url https://rekor.sigstore.dev \ | |
| --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| ${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| echo "::endgroup::" | |
| echo "::group::Verify signature (GitHub Container Registry)" | |
| cosign verify --rekor-url https://rekor.sigstore.dev \ | |
| --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }} | |
| echo "::endgroup::" |
rel #565