mirror of
https://github.com/Airsonic-Pulse/airsonic-pulse.git
synced 2026-07-09 21:18:27 +00:00
Complete 13.1.0's supply-chain hardening sequence (following #175 SHA pinning and #184 Actions major bumps) by signing every released container image with Cosign keyless signing via GitHub Actions OIDC. What changes in release.yml: - Top-level permissions gain id-token: write for OIDC token issuance - docker/build-push-action step gains id: build-push so its digest output can be referenced by the cosign step - New Install Cosign step using sigstore/cosign-installer@v4.1.2 (SHA-pinned matching the #175 convention; bundles Cosign 3.0.6 by default) - New Sign image step calling cosign sign --yes against the manifest-list digest from build-push. Signing by digest covers both :<version> and (when applicable) :latest in a single call, and the manifest-list digest also covers both linux/amd64 and linux/arm64 platform layers. See docs/security/image-verification.md for the verification command, success/failure interpretation, and the full trust-model explanation. fixes #183 Co-authored-by: litebito <litebito@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| image-verification.md | ||