blob: 356062c734e1174eed8e3795d6242292538a08de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Cosign.gitlab-ci.yml
# This template extends Docker.gitlab-ci.yml to sign the image with Cosign after building.
# This allows you to verify that an image was built by a trusted pipeline before running it.
# See https://docs.gitlab.com/ee/ci/yaml/signing_examples.html for more details.
include:
- template: Docker.gitlab-ci.yml
docker-build:
variables:
COSIGN_YES: "true" # Used by Cosign to skip confirmation prompts for non-destructive operations
id_tokens:
SIGSTORE_ID_TOKEN: # Used by Cosign to get certificate from Fulcio
aud: sigstore
after_script:
- apk add --update cosign
- IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE_NAME")"
- cosign sign "$IMAGE_DIGEST"
|