Skip to content

ci: fix sign-image.yaml mode detection + self-verify identity (RFC-044.4 WS3a)#27

Merged
devkoriel merged 1 commit into
mainfrom
ci/fix-signer-mode-detection
Jun 17, 2026
Merged

ci: fix sign-image.yaml mode detection + self-verify identity (RFC-044.4 WS3a)#27
devkoriel merged 1 commit into
mainfrom
ci/fix-signer-mode-detection

Conversation

@devkoriel

Copy link
Copy Markdown
Contributor

What

Fixes two bugs in the embedded sign-image.yaml, both found by a validation
workflow_dispatch of challenger's build (the build succeeded; the sign job failed
with no images to sign).

  1. Mode selection used github.event_name. In a workflow_call reusable,
    github.event_name inherits the caller's trigger (e.g. workflow_dispatch or a
    tag push), so the build-path call was misrouted into the re-sign branch, found
    refs empty, and exited 1. Now it selects mode by which input is set:
    refs -> re-sign, else digest+tags -> build-sign.

  2. Self-verify identity used github.ref. Also inherited from the caller, so a
    tag release would self-verify against @refs/tags/vX.Y.Z while the real keyless
    SAN is @refs/heads/main (callers reference the signer @main; the re-sign
    dispatch runs on the default branch). Pinned the verify identity to
    @refs/heads/main, which is what the @main reference produces and the only ref
    the Kyverno enforce IVP accepts.

No interface change; both workflow_call (build) and workflow_dispatch (re-sign)
paths keep working.

Test plan

  • Re-dispatch challenger docker.yml: build + sign both succeed.
  • cosign verify the pushed digest against
    .../sign-image.yaml@refs/heads/main passes.

@devkoriel devkoriel merged commit 1f3cff9 into main Jun 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant