diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6ff818498e5e82ae32c9e6f6da75c4aa05be3a78..36cc5ffaa6c991289be49ca0cf5985c8cd29d104 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -55,6 +55,7 @@ stages: - quality - deploy - sign + - verify - release - cleanup @@ -271,6 +272,22 @@ gitlab-opentofu-image:sign: rules: - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG' +gitlab-opentofu-image:verify-signature: + extends: '.image-matrix:deploy' + stage: verify + image: alpine:3.20.3 + before_script: + - *image-matrix-deploy-release-name-script + - apk add --update cosign + script: + - cosign verify + --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" + --certificate-oidc-issuer "https://gitlab.com" + "$RELEASE_IMAGE" + "$(crane digest --full-ref "$RELEASE_IMAGE")" + rules: + - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG' + .release:base: stage: release image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0