Maybe sign releases

2025-03-10 13:37:11 +00:00 · 2024-05-09 16:03:29 +01:00 · 2024-05-09 16:03:29 +01:00 · 39f0d220e0
commit 39f0d220e0
parent 8c76aad4e9
1 changed files with 15 additions and 0 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -21,7 +21,10 @@ jobs:
      contents: read
      packages: write
      security-events: write # To upload Trivy sarif files
+      id-token: write # needed for signing the images with GitHub OIDC Token
    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.3.0
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up QEMU
@ -62,6 +65,18 @@ jobs:
            ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
            ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}

+      - name: Sign the images with GitHub OIDC Token
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        env:
+          DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
+          TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with: