fix(cosign): enable cosign attest

This uses the artifact downloader version 4 again, in the previous changes, there could be a misconfiguration
digitalservicebund · Jan 25, 2024 · 4002d0e · 4002d0e
1 parent 71ad768
commit 4002d0e
Showing 1 changed file with 18 additions and 18 deletions.
diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml
@@ -9,7 +9,6 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  VULNERABILITY_SCAN_RECORD: vulnerabilities.json
   COSIGN_EXPERIMENTAL: "true"
 
 jobs:
@@ -71,18 +70,19 @@ jobs:
       - run: ./docker.sh --build app
       - run: ./docker.sh --push app
       - run: ./docker.sh --build prod
-      # - name: Generate cosign vulnerability scan record
-      #   uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
-      #   with:
-      #     image-ref: "${{ env.REGISTRY }}/${{ github.repository }}"
-      #     format: "cosign-vuln"
-      #     output: "${{ env.VULNERABILITY_SCAN_RECORD }}"
-      # - name: Upload cosign vulnerability scan record
-      #   uses: actions/upload-artifact@v4
-      #   with:
-      #     name: "${{ env.VULNERABILITY_SCAN_RECORD }}"
-      #     path: "${{ env.VULNERABILITY_SCAN_RECORD }}"
-      #     if-no-files-found: error
+      - name: Generate cosign vulnerability scan record
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
+        with:
+          image-ref: "${{ env.REGISTRY }}/${{ github.repository }}"
+          format: "cosign-vuln"
+          output: "vulnerabilities.json"
+      - name: Upload cosign vulnerability scan record
+        uses: actions/upload-artifact@v4
+        with:
+          name: "vulnerabilities"
+          path: "vulnerabilities.json"
+          compression-level: 0 # no compression
+          if-no-files-found: error
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
         with:
@@ -96,13 +96,13 @@ jobs:
         uses: github/codeql-action/upload-sarif@81b419c908d540ec4c7da9bfb4b5d941fca8f624
         with:
           sarif_file: "trivy-results.sarif"
-      # - name: Download cosign vulnerability scan record
-      #   uses: actions/download-artifact@v3
-      #   with:
-      #     name: "${{ env.VULNERABILITY_SCAN_RECORD }}"
+      - name: Download cosign vulnerability scan record
+        uses: actions/download-artifact@v4
+        with:
+          name: "vulnerabilities.json"
       - run: ./docker.sh --push prod
       - run: ./docker.sh --sign
-      # - run: ./docker.sh --attest
+      - run: ./docker.sh --attest
       - id: prod_image_tag
         run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT
     outputs: