From f055ebd0212424b0c5916e623d2e9dfd43f66d36 Mon Sep 17 00:00:00 2001 From: irongut Date: Sun, 24 Jul 2022 22:16:13 +0100 Subject: [PATCH] sign Docker image on release #32 --- .github/workflows/release-build.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index dae8b11..5251474 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -48,6 +48,8 @@ jobs: permissions: contents: read packages: write + id-token: write # Used for identity challenge with sigstore/fulcio + steps: - name: Harden Runner @@ -58,6 +60,14 @@ jobs: - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf + - name: Install Cosign + uses: sigstore/cosign-installer@c68f43abf1ae5df2528c9c250088fa14ed2d0ef5 + with: + cosign-release: 'v1.9.0' + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 + - name: Login to GitHub Container Registry uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 with: @@ -72,9 +82,18 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build + Push Docker image + id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the Docker image digest + # Uses the identity token to provision an ephemeral certificate against the community Fulcio instance + # https://github.com/sigstore/cosign + - name: Sign the Docker image + env: + COSIGN_EXPERIMENTAL: "true" + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}