remove cosign

nirmata · Jan 24, 2025 · a67bc43 · a67bc43
1 parent 6991807
commit a67bc43
Showing 1 changed file with 0 additions and 118 deletions.
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
@@ -37,17 +37,6 @@ jobs:
       with:
         fetch-depth: 0
 
-    - name: Checkout image
-      if: ${{ inputs.tag == 'image'}}
-      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-
-    - name: Unshallow
-      if: ${{ inputs.tag == 'image'}}
-      run: git fetch --prune --unshallow --tags
-
-    - name: Install Cosign
-      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
-
     - name: Log into ghcr.io
       uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
@@ -69,114 +58,7 @@ jobs:
       run: |
         echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
 
-    - name: Generate SBOM JSON
-      if: ${{inputs.tag == 'release'}}
-      uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
-      with:
-        version: v1
-        args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
-
-    - name: Upload SBOM JSON
-      if: ${{inputs.tag == 'release'}}
-      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
-      with:
-        name: ${{inputs.image_name}}-bom-cdx
-        path: ${{inputs.image_name}}-v*-bom.cdx.json
-
-    - name: Extract branch name
-      if: ${{inputs.tag == 'image'}}
-      shell: bash
-      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-      id: extract_branch
-
-    - name: Check branch
-      if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
-      id: check-branch
-      run: |
-        if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
-            echo ::set-output name=match::true
-        fi
-
-    - name: Debug Inputs
-      run: |
-        echo "Tag: ${{ inputs.tag }}"
-        echo "publish_command : ${{ inputs.publish_command}}"
-        echo "Digest Command: ${{ inputs.digest_command }}"
-        echo "Image Name: ${{ inputs.image_name }}"
-        echo "Repository: ${{ github.repository }}"
-        echo "Workflow: ${{ github.workflow }}"
-        echo "SHA: ${{ github.sha }}"
-        echo "secrets.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}"
-        echo "github.actor: ${{ github.actor }}"
-        echo "Branch: ${{ steps.extract_branch.outputs.branch }}"
-
-    - name: Docker images publish
-      if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
-      run: make ${{inputs.publish_command}} FIPS_ENABLED=1
-
-    - name: get image digest
-      if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
-      id: get-step-image
-      run: |
-        digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1) 
-        echo "digest=${digest}" >> $GITHUB_ENV
-
     - name: Docker release-images publish
       if: ${{inputs.tag == 'release' || inputs.tag == 'image' }}
       run: make ${{inputs.publish_command}} FIPS_ENABLED=1
 
-    - name: Clear Sigstore TUF Cache
-      run: |
-        rm -rf ~/.sigstore
-
-    - name: Get release-image digest
-      if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
-      id: get-step
-      run: |
-        digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1  2>/dev/null || true)
-        if [[ -z "$digest" ]]; then
-          echo "Error: Unable to generate digest. Ensure the repository exists and credentials are valid." >&2
-          exit 1
-        fi
-        echo "digest=$digest" >> $GITHUB_ENV
-        echo "Digest: $digest"
-
-    - name: Debug Digest
-      run: |
-        echo "Digest: ${{ env.digest }}"
-        if [[ -z "${{ env.digest }}" || "${{ env.digest }}" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then
-          echo "Error: Digest is empty or invalid." >&2
-          exit 1
-        fi
-
-    - name: Sign image
-      if: ${{ inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main' }}
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures"
-      run: |
-        cosign sign --yes \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:${digest}
-
-    - name: Sign release-image
-      if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures"
-        digest: ${{ env.digest }}
-      run: |
-        echo "Signing with digest: $digest"
-        cosign sign --yes \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:$digest
-
-    - name: Attach SBOM
-      if: ${{inputs.tag == 'release'}}
-      env:
-        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/sbom"
-      run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx  ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ env.digest }}