cache: sign and verify only if oidc token available

crazy-max · crazy-max · commit 531ca81ed82b · 2026-01-09T16:45:30.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -152,7 +152,7 @@ jobs:
     outputs:
       includes: ${{ steps.set.outputs.includes }}
       sign: ${{ steps.set.outputs.sign }}
-      privateRepo: ${{ steps.set.outputs.privateRepo }}
+      ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
     steps:
       -
         name: Install @docker/actions-toolkit
@@ -162,13 +162,17 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set outputs
         id: set
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
+          INPUT_ACTIONS-ID-TOKEN-SET:  ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_CONTEXT: ${{ inputs.context }}
@@ -189,6 +193,7 @@ jobs:
 
             const inpSbomImage = core.getInput('sbom-image');
             const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
+            const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set');
             
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
@@ -271,6 +276,8 @@ jobs:
               core.setOutput('privateRepo', privateRepo);
             });
             
+            core.setOutput('ghaCacheSign', inpActionsIdTokenSet ? 'true' : 'false');
+            
             await core.group(`Set includes output`, async () => {
               let includes = [];
               if (platforms.length === 0) {
@@ -373,9 +380,9 @@ jobs:
             [cache]
               [cache.gha]
                 [cache.gha.sign]
-                  command = ["ghacache-sign-script.sh"]
+                  command = [${{ needs.prepare.outputs.ghaCacheSign == 'true' && '"ghacache-sign-script.sh"' || '' }}]
                 [cache.gha.verify]
-                  required = true
+                  required = ${{ needs.prepare.outputs.ghaCacheSign }}
                   [cache.gha.verify.policy]
                     timestampThreshold = 1
                     tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -160,6 +160,7 @@ jobs:
       includes: ${{ steps.set.outputs.includes }}
       sign: ${{ steps.set.outputs.sign }}
       privateRepo: ${{ steps.set.outputs.privateRepo }}
+      ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
     steps:
       -
         name: Install @docker/actions-toolkit
@@ -175,6 +176,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
+          INPUT_ACTIONS-ID-TOKEN-SET:  ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_OUTPUT: ${{ inputs.output }}
@@ -187,6 +189,7 @@ jobs:
             const { Util } = require('@docker/actions-toolkit/lib/util');
             
             const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
+            const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set');
             
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
@@ -231,6 +234,8 @@ jobs:
               core.setOutput('privateRepo', privateRepo);
             });
             
+            core.setOutput('ghaCacheSign', inpActionsIdTokenSet ? 'true' : 'false');
+            
             await core.group(`Set includes output`, async () => {
               let includes = [];
               if (inpPlatforms.length === 0) {
@@ -332,9 +337,9 @@ jobs:
             [cache]
               [cache.gha]
                 [cache.gha.sign]
-                  command = ["ghacache-sign-script.sh"]
+                  command = [${{ needs.prepare.outputs.ghaCacheSign == 'true' && '"ghacache-sign-script.sh"' || '' }}]
                 [cache.gha.verify]
-                  required = true
+                  required = ${{ needs.prepare.outputs.ghaCacheSign }}
                   [cache.gha.verify.policy]
                     timestampThreshold = 1
                     tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }}
