add docker image signing with GitHub OIDC tokens (#23)

Implements #6
scrayosnet · Feb 3, 2024 · 862eb66 · 862eb66
1 parent adefcf9
commit 862eb66
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -16,11 +16,17 @@ jobs:
       packages: write
       actions: read
       security-events: write
+      # used to complete the identity challenge with sigstore/fulcio when running outside of PRs
+      id-token: write
     steps:
 
     - name: Checkout repository
       uses: actions/checkout@v4
 
+    - name: Install cosign
+      if: github.event_name != 'pull_request'
+      uses: sigstore/cosign-installer@v3
+
     - name: Login into GitHub Container Registry
       uses: docker/login-action@v3
       with:
@@ -46,13 +52,21 @@ jobs:
           type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
 
     - name: Build and push Docker image
+      id: build-and-push
       uses: docker/build-push-action@v5
       with:
         context: .
         push: true
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
 
+    - name: Sign published Docker images
+      if: ${{ github.event_name != 'pull_request' }}
+      env:
+        TAGS: ${{ steps.meta.outputs.tags }}
+        DIGEST: ${{ steps.build-and-push.outputs.digest }}
+      run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
     - name: Scan vulnerabilities with Docker Scout
       id: docker-scout
       uses: docker/scout-action@v1