A GitHub action for digitally signing container images hosted on an OCI-conformant registry with Notary.
Sign an image:
name: ci
on: [push]
jobs:
sign_container_image:
runs-on: ubuntu-latest
name: Notation sign container image
steps:
- uses: notation-sign-action@v0.1.0
- name: Sign container image
with:
image-name: 'registry/image:tag'
Pass an argument:
name: ci
on: [push]
jobs:
sign_container_image:
runs-on: ubuntu-latest
name: Notation sign container image
steps:
- uses: notation-sign-action@v0.1.0
- name: Sign container image
with:
image-name: 'registry/image:tag'
args: --envelope-type cose
Sign an image with a password protected registry:
name: ci
on: [push]
jobs:
sign_container_image:
runs-on: ubuntu-latest
name: Notation sign container image
steps:
- uses: notation-sign-action@v0.1.0
- name: Sign container image
env:
NOTATION_USERNAME: ${{ secrets.NOTATION_USERNAME }}
NOTATION_PASSWORD: ${{ secrets.NOTATION_PASSWORD }}
with:
image-name: 'registry/image:tag'
Sign an image hosted on Azure Container Registry (ACR):
name: ci
on: [push]
jobs:
sign_container_image:
runs-on: ubuntu-latest
name: Notation sign container image
steps:
- uses: notation-sign-action@v0.1.0
- name: Sign container image
env:
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID}}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
NOTATION_USERNAME: ${{ secrets.NOTATION_USERNAME }}
NOTATION_PASSWORD: ${{ secrets.NOTATION_PASSWORD }}
with:
image-name: 'registry/image:tag'
Name | type | description | required | default |
---|---|---|---|---|
image-name | string | The full name of the container image (registry/image-name:tag) | true |
IMPORTANT The Notation Sign Action assumes the Notation CLI is installed. To add the Notation CLI to your runner, use the setup-notation action.
Signing images hosted on a remote registry with basic auth enabled requires the following environment variables.
Name | Description |
---|---|
NOTATION_USERNAME | Name of user accessing the remote registry |
NOTATION_PASSWORD | Password of the user accessing the remote registry |
To remotely sign container images hosted on Azure Container Registry the Azure provider for Notary v2 Notation requires the following environment variables.
Name | Description |
---|---|
AZURE_TENANT_ID | Tenant id of the service principal |
AZURE_CLIENT_ID | Client id of the service principal |
AZURE_CLIENT_SECRET | Password value of the of the service principal |
NOTATION_USERNAME | Name of user accessing the remote registry |
NOTATION_PASSWORD | Password of the user accessing the remote registry |
NOTE: To secure these values in your CI pipeline store them as GitHub Action Secrets.