Use upstream upload_oci workflow #41
Description
Let's check if we could use the gardenlinux upload_oci workflow. Currently it is copied and altered to this repo:
$ diff ./.github/workflows/upload_oci.yml ./gardenlinux/.github/workflows/upload_oci.yml
7a8,16
> secrets:
> region:
> required: true
> role:
> required: true
> session:
> required: true
> oci-kms-arn:
> required: true
12c21
< flags: '--exclude "bare-*" --no-arch --json-by-arch --build --test'
---
> flags: '--no-arch --json-by-arch --publish'
22a32
> environment: oidc_aws_s3_upload
27a38
> - uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # pin@v4
29c40,42
< submodules: 'true'
---
> role-to-assume: ${{ secrets.role }}
> role-session-name: ${{ secrets.session }}
> aws-region: ${{ secrets.region }}
34,35d46
< ls -la
< ver=$(cat VERSION)
37,38c48,50
< # TODO: fix the sed from below
< cname="$(./build --resolve-cname ${{ matrix.flavor }}-${{ matrix.arch }} | sed s/today/$ver/)"
---
> - name: get cname
> run: |
> cname="$(./build --resolve-cname ${{ matrix.flavor }}-${{ matrix.arch }})"
55a68,71
> - name: Install cosign
> uses: sigstore/cosign-installer@v3.7.0
> with:
> cosign-release: 'v2.4.1'
67a84,90
> - name: Sign the manifest
> run: |
> docker login ghcr.io -u token -p ${{ secrets.GITHUB_TOKEN }}
> cosign sign -tlog-upload=false --key awskms://kms.${{ secrets.region }}.amazonaws.com/${{ secrets.oci-kms-arn }} ghcr.io/${{ github.repository }}@$(cat digest)
> - name: Verify signature
> run: |
> cosign verify --insecure-ignore-tlog=true --key awskms://kms.${{ secrets.region}}.amazonaws.com/${{ secrets.oci-kms-arn }} ghcr.io/${{ github.repository }}@$(cat digest)