ci: sign all jans containers using cosign (#8409)

* ci: sign images Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> * ci: skip signing if image is not build Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> * ci: add cosign private key Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> * ci: add cosign private key Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> * ci: id-token write Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> * ci: remove private key and password Signed-off-by: moabu <47318409+moabu@users.noreply.github.com> --------- Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>
JanssenProject · Apr 29, 2024 · 0eb5aaf · 0eb5aaf
1 parent b650834
commit 0eb5aaf
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml
@@ -48,6 +48,7 @@ jobs:
   docker:
     permissions:
       packages: write
+      id-token: write
     runs-on: ubuntu-latest
     strategy:
       max-parallel: 8
@@ -59,6 +60,9 @@ jobs:
         with:
           egress-policy: audit
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -218,3 +222,15 @@ jobs:
       - name: Image digest
         if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
         run: echo ${{ steps.docker_build.outputs.digest }}
+
+      - name: Sign the images with GitHub OIDC Token
+        if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
+        env:
+          DIGEST: ${{ steps.docker_build.outputs.digest }}
+          TAGS: ${{ steps.prep.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes -a author=JanssenProject ${images}