Add cosign signatures to wasm components on ghcr

.github/workflows/attest.yml

@@ -0,0 +1,33 @@
+name: build-attested-component
+
+on:
+  push:
+    branches: [cosign]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Attest
+        uses: actions/attest@v1
+        id: attest
+        with:
+          subject-name: ghcr.io/yoshuawuyts/rust-wasi-hello
+          # subject-digest: ${{ steps.push.outputs.digest }}
+          subject-digest: sha256:67940472ac167f1c79224ee645ba59ca54483d95c633f9e67a4d16719d1fa356
+          predicate-type: "https://in-toto.io/attestation/release/v0.1"
+          predicate: '{"purl":"pkg:oci/..."}'
+          push-to-registry: true

.github/workflows/publish.yml

@@ -53,3 +53,14 @@ jobs:
 
       - name: Run publish script
         run: bash scripts/publish.sh ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Sign wasm component
+        run: |
+          image="ghcr.io/${{ github.actor }}/rust-wasi-hello:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}"
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY $image
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

.gitignore

@@ -1 +1,2 @@
-/target
+/target
+.bin