BRE-1276 - Remove cosign verify commands (#420)

2026-06-28 06:15:46 +00:00 · 2025-10-28 15:56:08 +00:00
parent cb488b1281
commit c5d5e7d67f
2 changed files with 4 additions and 41 deletions
--- a/.github/workflows/build-unified.yml
+++ b/.github/workflows/build-unified.yml
@@ -203,11 +203,10 @@ jobs:

      - name: Install Cosign
        if: env.is_publish_branch == 'true'
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Sign image with Cosign
        if: env.is_publish_branch == 'true'
-        id: sign
        env:
          DIGEST: ${{ steps.build-docker.outputs.digest }}
          TAGS: ${{ steps.tag-list.outputs.tags }}
@@ -217,19 +216,7 @@ jobs:
          for tag in "${tags_array[@]}"; do
            images+=("${tag}@${DIGEST}")
          done
-          cosign sign --yes "${images[@]}"
-          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
-
-      - name: Verify the signed image(s) with Cosign
-        if: env.is_publish_branch == 'true'
-        env:
-          IMAGES: ${{ steps.sign.outputs.images }}
-        run: |
-          read -r -a images_array <<< "${COSIGN_IMAGES}"
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "${images_array[@]}"
+          cosign sign --yes ${images[@]}

      - name: Scan Docker image
        id: container-scan
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -252,7 +252,7 @@ jobs:
          persist-credentials: false

      - name: Install Cosign
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
@@ -299,18 +299,6 @@ jobs:
          cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
          cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:latest"

-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
-
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
-
      - name: Log out of Docker
        run: |
          docker logout ghcr.io
@@ -347,7 +335,7 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Cosign
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Push version and latest image
        if: ${{ inputs.release_type != 'Dry Run' }}
@@ -363,18 +351,6 @@ jobs:
          cosign sign --yes "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
          cosign sign --yes "ghcr.io/bitwarden/self-host:latest"

-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
-
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/self-host:latest"
-
      - name: Log out of skopeo and ghcr.io
        run: |
          skopeo logout --all