add code signing

2025-12-25 10:57:55 +01:00 · 2024-06-17 10:16:31 -04:00 · 2024-06-17 10:16:31 -04:00 · f345eefc7c
commit f345eefc7c
parent 03ed84acd8
2 changed files with 33 additions and 1 deletions
--- a/.github/workflows/build_container.yml
+++ b/.github/workflows/build_container.yml
@ -94,6 +94,13 @@ jobs:
          tags: ${{ steps.meta.outputs.tags || steps.meta_pr.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels || steps.meta_pr.outputs.labels }}

+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Push image
        uses: redhat-actions/push-to-registry@v2
        with:
@ -110,4 +117,25 @@ jobs:
          status: ${{ job.status }}
          context: ${{ env.JOB_NAME }}
          sha: ${{ env.sha }}
-          targetUrl: ${{ steps.jobs.outputs.html_url }}
+          targetUrl: ${{ steps.jobs.outputs.html_url }}
+      
+      - name: Install Cosign
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Sign the images
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          TAGS: ${{ steps.build-image.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          images=""
+          digest=""
+          for tag in ${TAGS}; do
+            if [[ -z "${digest}" ]]
+            then
+              digest=$(cat $(echo ${tag} | tr '/:' '--')_digest.txt)
+            fi
+            images+="${tag}@${digest} "
+          done
+          cosign sign --key env://COSIGN_PRIVATE_KEY --yes ${images}