ci: log cosign attest verification to file to release pipeline remove…

… hangs (#2975)
keptn · Feb 7, 2024 · 11b81a0 · 11b81a0
1 parent 7673b7f
commit 11b81a0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -565,6 +565,7 @@ spanhandler
 spanid
 spanitem
 spdx
+spdxjson
 spf
 squidfunk
 sre

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -207,11 +207,21 @@ jobs:
         env:
           IMAGE_DIGEST: ${{ steps.docker_build_image.outputs.digest }}
         run: |
-          cosign attest --yes --type spdx --predicate ./sbom-${{ matrix.config.name }}.spdx.json ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+          echo "Attesting SBOM for this release and image..."
+          cosign attest --yes --type spdxjson --predicate ./sbom-${{ matrix.config.name }}.spdx.json ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+          echo "Verifying that the attestation worked..."
           cosign verify-attestation --type spdx \
             --certificate-identity-regexp="https://github.com/keptn/lifecycle-toolkit/.*" \
             --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+            --output-file ./cosign-attest-output.json
             ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+          echo "Result of verification:"
+
+      - name: Upload verification log as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: cosign-attest-verification-log
+          path: ./cosign-attest-output.json
 
   update-examples:
     name: Update examples