From 862eb664db12e6daf35c73142b590ea68740fc4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joshua=20Dean=20K=C3=BCpper?= <admin@joshua-kuepper.de>
Date: Sat, 3 Feb 2024 21:46:26 +0100
Subject: [PATCH] add docker image signing with GitHub OIDC tokens (#23)

Implements #6
---
 .github/workflows/docker.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 6cd3ffc..2dad72b 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -16,11 +16,17 @@ jobs:
       packages: write
       actions: read
       security-events: write
+      # used to complete the identity challenge with sigstore/fulcio when running outside of PRs
+      id-token: write
     steps:
 
     - name: Checkout repository
       uses: actions/checkout@v4
 
+    - name: Install cosign
+      if: github.event_name != 'pull_request'
+      uses: sigstore/cosign-installer@v3
+
     - name: Login into GitHub Container Registry
       uses: docker/login-action@v3
       with:
@@ -46,6 +52,7 @@ jobs:
           type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
 
     - name: Build and push Docker image
+      id: build-and-push
       uses: docker/build-push-action@v5
       with:
         context: .
@@ -53,6 +60,13 @@ jobs:
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
 
+    - name: Sign published Docker images
+      if: ${{ github.event_name != 'pull_request' }}
+      env:
+        TAGS: ${{ steps.meta.outputs.tags }}
+        DIGEST: ${{ steps.build-and-push.outputs.digest }}
+      run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
     - name: Scan vulnerabilities with Docker Scout
       id: docker-scout
       uses: docker/scout-action@v1