From 0eb5aafcf3ef5ed2c393d9980e96d84f82e92288 Mon Sep 17 00:00:00 2001
From: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Date: Mon, 29 Apr 2024 18:13:55 +0300
Subject: [PATCH] ci: sign all jans containers using cosign (#8409)

* ci: sign images

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

* ci: skip signing if image is not build

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

* ci: add cosign private key

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

* ci: add cosign private key

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

* ci: id-token write

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

* ci: remove private key and password

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

---------

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>
---
 .github/workflows/docker_build_image.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/docker_build_image.yml b/.github/workflows/docker_build_image.yml
index 170250f56ca..58eddd8e0d7 100644
--- a/.github/workflows/docker_build_image.yml
+++ b/.github/workflows/docker_build_image.yml
@@ -48,6 +48,7 @@ jobs:
   docker:
     permissions:
       packages: write
+      id-token: write
     runs-on: ubuntu-latest
     strategy:
       max-parallel: 8
@@ -59,6 +60,9 @@ jobs:
         with:
           egress-policy: audit
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -218,3 +222,15 @@ jobs:
       - name: Image digest
         if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
         run: echo ${{ steps.docker_build.outputs.digest }}
+
+      - name: Sign the images with GitHub OIDC Token
+        if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
+        env:
+          DIGEST: ${{ steps.docker_build.outputs.digest }}
+          TAGS: ${{ steps.prep.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes -a author=JanssenProject ${images}