feat: keyless signing

Author: duffney

.github/workflows/publish.yml

@@ -30,6 +30,9 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install cosign
+        uses: sigstore/[email protected]
+
       - name: Cache cargo bin
         id: cache-cargo
         uses: actions/cache@v3
@@ -51,5 +54,17 @@ jobs:
       - name: Run build script
         run: bash scripts/build.sh
 
-      - name: Run publish script
-        run: bash scripts/publish.sh ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+      # - name: Run publish script
+      #   run: bash scripts/publish.sh ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+
+      # using my version until the PR is merged upstream
+      # https://github.com/bytecodealliance/wkg-github-action/pull/7
+      - name: Publish to GitHub Container Registry
+        uses: duffney/wkg-github-action@9680cbd1dd38119bbc519c6c3e0b7fffe0b4982c
+        with:
+          file: target/wasm32-wasi/release/rust_wasi_hello.wasm
+          oci-reference-without-tag: ghcr.io/${{ github.actor }}/rust-wasi-hello
+          version: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+
+      - name: Sign the wasm component
+        run: cosign sign --yes ghcr.io/${{ github.actor }}/rust-wasi-hello@${{ steps.publish.outputs.digest }}