Add image signing (#124)

JasonN3 · Jun 21, 2024 · 326734d · 326734d
1 parent 03ed84a
commit 326734d
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
@@ -94,6 +94,13 @@ jobs:
           tags: ${{ steps.meta.outputs.tags || steps.meta_pr.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels || steps.meta_pr.outputs.labels }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Push image
         uses: redhat-actions/push-to-registry@v2
         with:
@@ -110,4 +117,25 @@ jobs:
           status: ${{ job.status }}
           context: ${{ env.JOB_NAME }}
           sha: ${{ env.sha }}
-          targetUrl: ${{ steps.jobs.outputs.html_url }}
+          targetUrl: ${{ steps.jobs.outputs.html_url }}
+
+      - name: Install Cosign
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: sigstore/[email protected]
+
+      - name: Sign the images
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          TAGS: ${{ steps.build-image.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          images=""
+          digest=""
+          for tag in ${TAGS}; do
+            if [[ -z "${digest}" ]]
+            then
+              digest=$(cat $(echo ${tag} | tr '/:' '--')_digest.txt)
+            fi
+            images+="${tag}@${digest} "
+          done
+          cosign sign --key env://COSIGN_PRIVATE_KEY --yes ${images}
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY4ljyIhI2w9DOptB4WT20S+K5ts3
+GJTEKRkXmIYEXGfyKpJMdlGCWeg2kOam5dNhWKXXl46d3eBBo9S53TPpyQ==
+-----END PUBLIC KEY-----