veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ci: gate cosign/sbom/attest steps to github only

Browse source 
cosign keyless sign uses Sigstore Fulcio which requires a
Fulcio-trusted OIDC issuer. Forgejo runs don't have one, so cosign
falls back to the interactive device flow and times out
(error obtaining token: expired_token). Same applies to
attest-build-provenance and the SBOM action's signed attestation.

Skip all three on Forgejo for now; ISO + sha256 are sufficient for
v0.5.x test releases. Re-add when we self-host a Sigstore stack or
sign with a key-pair instead of keyless.
This commit is contained in:
obsidian-ai 2026-05-06 15:41:00 +01:00 committed by s8n
parent e17c04007d
commit ecd374ab1a
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/build-iso.yml vendored
View file

@ -174,12 +174,12 @@ jobs:
ls "${ISO}".part-* ls "${ISO}".part-*
- name: Install cosign - name: Install cosign
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
# Pinned to last v3 release confirmed node20. # Pinned to last v3 release confirmed node20.
uses: sigstore/cosign-installer@v3.7.0 uses: sigstore/cosign-installer@v3.7.0
- name: Sign ISO parts (keyless) - name: Sign ISO parts (keyless)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
run: | run: |
cd build/out cd build/out
for f in *.part-*; do for f in *.part-*; do
@ -189,7 +189,7 @@ jobs:
done done
- name: Generate SBOM (SPDX) - name: Generate SBOM (SPDX)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
# Pinned to last v0.17 release that ships node20. # Pinned to last v0.17 release that ships node20.
uses: anchore/sbom-action@v0.17.2 uses: anchore/sbom-action@v0.17.2
with: with:
@ -198,7 +198,7 @@ jobs:
output-file: build/out/veilor-os.spdx.json output-file: build/out/veilor-os.spdx.json
- name: Build provenance attestation - name: Build provenance attestation
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
# Pinned to last v2.2 release that ships node20. # Pinned to last v2.2 release that ships node20.
uses: actions/attest-build-provenance@v2.2.3 uses: actions/attest-build-provenance@v2.2.3
with: with: