You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @JamieMagee!
The started workflow example executes install action and this is a recommended way to use consign as you can set up any version you like or stay on the latest. The installation takes not more than 2-3 seconds:
jobs:
build:
runs-on: ubuntu-latestname: Install Cosign and test presence in pathsteps:
- name: Install Cosignuses: sigstore/cosign-installer@mainwith:
cosign-release: 'v1.4.1'
- name: Check install!run: cosign version
However, the action doesn't support other OSs at the moment and we recommend creating an issue in the https://github.com/sigstore/cosign-installer repository to add the support.
Until that you can use the following snippets to install consign in runtime, it won't take more than 5 seconds for macOS and 20 for windows:
Considering fast installation time in runtime and maintenance concerns we would not like to add the tool to the image. Please use the action\snippets provided.
I'm going to close the issue, feel free to contact us if you have any concerns.
Thank you!
@miketimofeev Thanks for the quick response and detailed feedback.
My aim with adding cosign to the default image was to simplify the whole process for users to start using it. The starter action is simple, but could be simpler 😄 I totally understand the maintenance aspect, and the need to keep the VM images small as well.
Tool name
cosign
Tool license
Apache License 2.0
Add or update?
Desired version
1.4.1
Approximate size
80MB
Brief description of tool
Container Signing, Verification and Storage in an OCI registry.
It is promoted in a GitHub blog post1 and in starter workflows2
URL for tool's homepage
https://github.com/sigstore/cosign
Provide a basic test case to validate the tool's functionality.
No response
Virtual environments affected
Can this tool be installed during the build?
Tool installation time in runtime
a couple of seconds
Are you willing to submit a PR?
yes
Footnotes
https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/ ↩
https://github.com/actions/starter-workflows/blob/5104ac42744c84c675b2f9e1168e89f1dd60c059/ci/docker-publish.yml#L40-L46 ↩
The text was updated successfully, but these errors were encountered: