diff --git a/.github/workflows/attest.yml b/.github/workflows/attest.yml new file mode 100644 index 0000000..dc7b800 --- /dev/null +++ b/.github/workflows/attest.yml @@ -0,0 +1,33 @@ +name: build-attested-component + +on: + push: + branches: [cosign] + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: read + attestations: write + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Attest + uses: actions/attest@v1 + id: attest + with: + subject-name: ghcr.io/yoshuawuyts/rust-wasi-hello + # subject-digest: ${{ steps.push.outputs.digest }} + subject-digest: sha256:67940472ac167f1c79224ee645ba59ca54483d95c633f9e67a4d16719d1fa356 + predicate-type: "https://in-toto.io/attestation/release/v0.1" + predicate: '{"purl":"pkg:oci/..."}' + push-to-registry: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a086b43..2a9d69f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -53,3 +53,14 @@ jobs: - name: Run publish script run: bash scripts/publish.sh ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + + - name: Sign wasm component + run: | + image="ghcr.io/${{ github.actor }}/rust-wasi-hello:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}" + cosign sign --yes --key env://COSIGN_PRIVATE_KEY $image + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} diff --git a/.gitignore b/.gitignore index c41cc9e..99644ad 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -/target \ No newline at end of file +/target +.bin