Skip to content

Commit 421a23e

Browse files
irevoireirevoire
authored
Merge pull request #3265 from LeSuisse/sign-container-image-cosign
Sign container image using Cosign in keyless mode
2 parents 8d22972 + 191ea34 commit 421a23e

File tree

1 file changed

+17
-0
lines changed

1 file changed

+17
-0
lines changed

.github/workflows/publish-docker-images.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ on:
1616
jobs:
1717
docker:
1818
runs-on: docker
19+
permissions:
20+
id-token: write # This is needed to use Cosign in keyless mode
1921
steps:
2022
- uses: actions/checkout@v3
2123

@@ -62,6 +64,9 @@ jobs:
6264
- name: Set up Docker Buildx
6365
uses: docker/setup-buildx-action@v3
6466

67+
- name: Install cosign
68+
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # tag=v3.8.2
69+
6570
- name: Login to Docker Hub
6671
uses: docker/login-action@v3
6772
with:
@@ -85,6 +90,7 @@ jobs:
8590
8691
- name: Build and push
8792
uses: docker/build-push-action@v6
93+
id: build-and-push
8894
with:
8995
push: true
9096
platforms: linux/amd64,linux/arm64
@@ -94,6 +100,17 @@ jobs:
94100
COMMIT_DATE=${{ steps.build-metadata.outputs.date }}
95101
GIT_TAG=${{ github.ref_name }}
96102
103+
- name: Sign the images with GitHub OIDC Token
104+
env:
105+
DIGEST: ${{ steps.build-and-push.outputs.digest }}
106+
TAGS: ${{ steps.meta.outputs.tags }}
107+
run: |
108+
images=""
109+
for tag in ${TAGS}; do
110+
images+="${tag}@${DIGEST} "
111+
done
112+
cosign sign --yes ${images}
113+
97114
# /!\ Don't touch this without checking with Cloud team
98115
- name: Send CI information to Cloud team
99116
# Do not send if nightly build (i.e. 'schedule' or 'workflow_dispatch' event)

0 commit comments

Comments
 (0)