File tree Expand file tree Collapse file tree 1 file changed +12
-2
lines changed
Expand file tree Collapse file tree 1 file changed +12
-2
lines changed Original file line number Diff line number Diff line change @@ -11,8 +11,18 @@ tag="$(stamp "{TAG}")"
1111digest="$(cat {DIGEST})"
1212echo "Pushing $repository@$digest"
1313{CRANE} push {IMAGE} "$repository@$digest"
14- {COSIGN} attest "$repository@$digest" --predicate "{SBOM}" --type "spdx" --yes
15- {COSIGN} sign "$repository@$digest" --yes
14+
15+ # Check for signature and skip signing/sbom if present
16+ exit_code=0
17+ {COSIGN} verify "$repository@$digest" --certificate-oidc-issuer https://accounts.google.com --certificate-identity "${{KEYLESS}}" > /dev/null || exit_code=$?
18+
19+ # We can't differentiate between system errors and cosign verification errors using exit code, so try on all
20+ # failures
21+ if [ $exit_code -ne 0 ]; then
22+ {COSIGN} attest "$repository@$digest" --predicate "{SBOM}" --type "spdx" --yes
23+ {COSIGN} sign "$repository@$digest" --yes
24+ fi
25+
1626{CRANE} tag "$repository@$digest" "$tag"
1727"""
1828
You can’t perform that action at this time.
0 commit comments