cache: sign and verify only if oidc token available

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

Author: crazy-max

.github/workflows/bake.yml

@@ -152,7 +152,7 @@ jobs:
     outputs:
       includes: ${{ steps.set.outputs.includes }}
       sign: ${{ steps.set.outputs.sign }}
-      privateRepo: ${{ steps.set.outputs.privateRepo }}
+      ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
     steps:
       -
         name: Install @docker/actions-toolkit
@@ -162,13 +162,17 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set outputs
         id: set
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
+          INPUT_ACTIONS-ID-TOKEN-SET:  ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_CONTEXT: ${{ inputs.context }}
@@ -189,6 +193,7 @@ jobs:
 
             const inpSbomImage = core.getInput('sbom-image');
             const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
+            const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set');
             
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
@@ -294,6 +299,11 @@ jobs:
               core.info(`sign: ${sign}`);
               core.setOutput('sign', sign);
             });
+            await core.group(`Set ghaCacheSign output`, async () => {
+              const ghaCacheSign = inpActionsIdTokenSet ? 'true' : 'false';
+              core.info(`ghaCacheSign: ${ghaCacheSign}`);
+              core.setOutput('ghaCacheSign', ghaCacheSign);
+            });
 
   build:
     runs-on: ${{ matrix.runner }}
@@ -373,9 +383,9 @@ jobs:
             [cache]
               [cache.gha]
                 [cache.gha.sign]
-                  command = ["ghacache-sign-script.sh"]
+                  command = [${{ needs.prepare.outputs.ghaCacheSign == 'true' && '"ghacache-sign-script.sh"' || '' }}]
                 [cache.gha.verify]
-                  required = true
+                  required = ${{ needs.prepare.outputs.ghaCacheSign }}
                   [cache.gha.verify.policy]
                     timestampThreshold = 1
                     tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }}

.github/workflows/build.yml

@@ -160,6 +160,7 @@ jobs:
       includes: ${{ steps.set.outputs.includes }}
       sign: ${{ steps.set.outputs.sign }}
       privateRepo: ${{ steps.set.outputs.privateRepo }}
+      ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
     steps:
       -
         name: Install @docker/actions-toolkit
@@ -169,12 +170,16 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set outputs
         id: set
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
+          INPUT_ACTIONS-ID-TOKEN-SET:  ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_OUTPUT: ${{ inputs.output }}
@@ -187,6 +192,7 @@ jobs:
             const { Util } = require('@docker/actions-toolkit/lib/util');
             
             const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
+            const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set');
             
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
@@ -254,6 +260,11 @@ jobs:
               core.info(`sign: ${sign}`);
               core.setOutput('sign', sign);
             });
+            await core.group(`Set ghaCacheSign output`, async () => {
+              const ghaCacheSign = inpActionsIdTokenSet ? 'true' : 'false';
+              core.info(`ghaCacheSign: ${ghaCacheSign}`);
+              core.setOutput('ghaCacheSign', ghaCacheSign);
+            });
 
   build:
     runs-on: ${{ matrix.runner }}
@@ -332,9 +343,9 @@ jobs:
             [cache]
               [cache.gha]
                 [cache.gha.sign]
-                  command = ["ghacache-sign-script.sh"]
+                  command = [${{ needs.prepare.outputs.ghaCacheSign == 'true' && '"ghacache-sign-script.sh"' || '' }}]
                 [cache.gha.verify]
-                  required = true
+                  required = ${{ needs.prepare.outputs.ghaCacheSign }}
                   [cache.gha.verify.policy]
                     timestampThreshold = 1
                     tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }}