GHA: yaml: move env: before run: where not there

vszakats · vszakats · commit 24bec48778f3 · 2025-11-02T17:33:37.000+01:00
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
@@ -79,11 +79,11 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign images with sigstore key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
@@ -95,13 +95,13 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:latest"
       - name: 'sign images with a sigstore key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key docker.io/curlimages/curl:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl:latest
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
@@ -115,13 +115,13 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:latest"
       - name: 'sign images with a sigstore key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key quay.io/curl/curl:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl:latest
           cosign sign -y --key cosign.key quay.io/curl/curl-base:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
@@ -74,12 +74,12 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
@@ -71,10 +71,10 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
-        run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
@@ -88,10 +88,10 @@ jobs:
         run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
       - name: 'sign image with a key'
-        run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
@@ -73,11 +73,11 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master
