Merge pull request #68 from docker/verify-cosign-install

verify: use the actions-toolkit to install cosign

Author: crazy-max

.github/workflows/verify.yml

@@ -12,6 +12,9 @@ on:
         description: "Registry authentication details as YAML objects"
         required: false
 
+env:
+  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/[email protected]"
+
 jobs:
   verify:
     runs-on: ubuntu-24.04
@@ -44,12 +47,37 @@ jobs:
             core.setOutput('artifact-name', artifactName);
             core.setOutput('output-type', outputType);
             core.setOutput('signed', signed);
+      -
+        name: Install @docker/actions-toolkit
+        if: ${{ steps.vars.outputs.signed == 'true' }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }}
+        with:
+          script: |
+            await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
       -
         name: Install Cosign
         if: ${{ steps.vars.outputs.signed == 'true' }}
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_COSIGN-VERSION: ${{ steps.vars.outputs.cosign-version }}
         with:
-          cosign-release: ${{ steps.vars.outputs.cosign-version }}
+          script: |
+            const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
+            const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
+
+            const cosignInstall = new Install();
+            const cosignBinPath = await cosignInstall.download({
+              version: core.getInput('cosign-version'),
+              ghaNoCache: true,
+              skipState: true,
+              verifySignature: true
+            });
+            await cosignInstall.install(cosignBinPath);
+
+            const cosign = new Cosign();
+            await cosign.printVersion();
       -
         name: Login to registry
         if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'image' }}