ci: stop signing images all the time (#1064)
diff --git a/zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/buildset-registry/run.yml
index 7853f2a..467ba31 100644
--- a/zuul.d/playbooks/buildset-registry/run.yml
+++ b/zuul.d/playbooks/buildset-registry/run.yml
@@ -103,6 +103,18 @@
dest: /usr/local/bin/cosign
mode: 0755
+ - name: Copy the cosign public key
+ copy:
+ content: "{{ cosign_key.public }}"
+ dest: cosign.pub
+
+ - name: Verify which images are signed
+ ignore_errors: true
+ ansible.builtin.shell: |
+ cosign verify --key cosign.pub --output json {{ item }}
+ loop: "{{ images_built }}"
+ register: cosign_verify
+
- name: Copy the cosign private key
copy:
content: "{{ cosign_key.private }}"
@@ -111,7 +123,7 @@
- name: Sign images
ansible.builtin.shell: |
cosign sign -y --recursive --key cosign.key {{ item }}
- loop: "{{ images_built }}"
+ loop: "{{ cosign_verify.results | selectattr('failed', 'equalto', true) | map(attribute='item') | list }}"
- name: Delete the cosign private key
file: