bash
5 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
#!/usr/bin/env bash
set -euo pipefail
cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/example/codesnips:${GITHUB_SHA}
cosign verify --key env://COSIGN_PUBLIC_KEY ghcr.io/example/codesnips:${GITHUB_SHA}
1 file · bash
Explain with highlit
Artifact signing gives downstream systems something concrete to verify before deployment. I use cosign because it keeps container and provenance signing practical in CI. Supply chain controls only matter if verification is automated where release decisions happen.
Share this code
Here's the card — post it anywhere.