ci: stop signing images all the time (#1064)

commit: 62f8dc47a2e02a90c0542be3f62a5cdc4b25a919 [log] [tgz]
author: Mohammed Naser <mnaser@vexxhost.com> Thu Apr 04 12:09:16 2024 -0400
committer: GitHub <noreply@github.com> Thu Apr 04 12:09:16 2024 -0400
tree: c5a6e1afcfd176989d1b247517110acaead4cd0f
parent: 1bd9d0b29b31874aa76edd59c0ee247133747045 [diff]
diff --git a/zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/buildset-registry/run.yml
index 7853f2a..467ba31 100644
--- a/zuul.d/playbooks/buildset-registry/run.yml
+++ b/zuul.d/playbooks/buildset-registry/run.yml

@@ -103,6 +103,18 @@
             dest: /usr/local/bin/cosign
             mode: 0755
 
+        - name: Copy the cosign public key
+          copy:
+            content: "{{ cosign_key.public }}"
+            dest: cosign.pub
+
+        - name: Verify which images are signed
+          ignore_errors: true
+          ansible.builtin.shell: |
+            cosign verify --key cosign.pub --output json {{ item }}
+          loop: "{{ images_built }}"
+          register: cosign_verify
+
         - name: Copy the cosign private key
           copy:
             content: "{{ cosign_key.private }}"
@@ -111,7 +123,7 @@
         - name: Sign images
           ansible.builtin.shell: |
             cosign sign -y --recursive --key cosign.key {{ item }}
-          loop: "{{ images_built }}"
+          loop: "{{ cosign_verify.results | selectattr('failed', 'equalto', true) | map(attribute='item') | list }}"
 
         - name: Delete the cosign private key
           file:
commit	62f8dc47a2e02a90c0542be3f62a5cdc4b25a919	[log] [tgz]
author	Mohammed Naser <mnaser@vexxhost.com>	Thu Apr 04 12:09:16 2024 -0400
committer	GitHub <noreply@github.com>	Thu Apr 04 12:09:16 2024 -0400
tree	c5a6e1afcfd176989d1b247517110acaead4cd0f
parent	1bd9d0b29b31874aa76edd59c0ee247133747045 [diff]