add code signing

.github/workflows/build_container.yml

@@ -94,6 +94,13 @@ jobs:
           tags: ${{ steps.meta.outputs.tags || steps.meta_pr.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels || steps.meta_pr.outputs.labels }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Push image
         uses: redhat-actions/push-to-registry@v2
         with:
@@ -110,4 +117,25 @@ jobs:
           status: ${{ job.status }}
           context: ${{ env.JOB_NAME }}
           sha: ${{ env.sha }}
-          targetUrl: ${{ steps.jobs.outputs.html_url }}
+          targetUrl: ${{ steps.jobs.outputs.html_url }}
+      
+      - name: Install Cosign
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Sign the images
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          TAGS: ${{ steps.build-image.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          images=""
+          digest=""
+          for tag in ${TAGS}; do
+            if [[ -z "${digest}" ]]
+            then
+              digest=$(cat $(echo ${tag} | tr '/:' '--')_digest.txt)
+            fi
+            images+="${tag}@${digest} "
+          done
+          cosign sign --key env://COSIGN_PRIVATE_KEY --yes ${images}

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY4ljyIhI2w9DOptB4WT20S+K5ts3
+GJTEKRkXmIYEXGfyKpJMdlGCWeg2kOam5dNhWKXXl46d3eBBo9S53TPpyQ==
+-----END PUBLIC KEY-----