fix(sign-container): do not run the action in case of private reposit…

…ory to not leak metadata (#48)
LedgerHQ · Nov 7, 2024 · 655e6ae · 655e6ae
1 parent 38bd386
commit 655e6ae
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/actions/sign-container/action.yml b/actions/sign-container/action.yml
@@ -17,6 +17,10 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Check if repository is public (signature are leaking private information)
+      if: ${{ github.event.repository.visibility != 'public' }}
+      shell: bash
+      run: echo "This action only runs on public repositories. To avoid leaking private information, the action will be stopped."
     - name: Install Cosign
       uses: sigstore/cosign-installer@v3
     - name: Sign containers images