signing support

.github/workflows/docker.yml

@@ -7,10 +7,19 @@ on:
     tags:
       - '[0-9]+.[0-9]+.[0-9]+'
 
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: ${{ github.repository }}
+
+
 jobs:
   dockerhubpublish:
     name: Build and Publish Docker Container
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
     - name: Checkout
       uses: actions/checkout@v3
@@ -23,12 +32,38 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Extract Docker metadata
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
     - name: Build and push
       uses: docker/build-push-action@v4
       env:
         DOCKER_CONTENT_TRUST: 1
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: true
-        tags: tokendito/tokendito:latest
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+    - name: Install cosign
+      if: github.event_name != 'pull_request'
+      uses: sigstore/cosign-installer@v2.8.1
+      with:
+        cosign-release: 'v1.13.1'
+    - name: Get signing key
+      run: echo "${{ secrets.COSIGN_KEY }}" > cosign.key
+      if: github.event_name != 'pull_request'
+    - name: Sign container image with annotations from our environment
+      run: |
+        cosign sign --key cosign.key \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.tags }}
+      if: github.event_name != 'pull_request'
+      env:
+        COSIGN_PASSWORD: "${{ secrets.SIGNING_KEY_PASSWORD}}"