66 - " release-v*"
77 tags :
88 - " v*"
9+ # TODO: Added for testing....
10+ workflow_dispatch :
911
1012concurrency :
1113 group : ${{ github.workflow }}-${{ github.ref }}
@@ -153,6 +155,14 @@ jobs:
153155 runs-on : ubuntu-latest
154156 steps :
155157 - uses : actions/checkout@v4
158+
159+ # Install the cosign tool except on PR
160+ # https://github.com/sigstore/cosign-installer
161+ - name : Install cosign
162+ uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
163+ with :
164+ cosign-release : " v2.2.4"
165+
156166 - name : Set up QEMU
157167 uses : docker/setup-qemu-action@v3
158168
@@ -169,6 +179,7 @@ jobs:
169179 password : ${{ secrets.QUAY_ROBOT_TOKEN }}
170180
171181 - name : Build and push (if applicable)
182+ id : build-and-push
172183 uses : docker/build-push-action@v6
173184 with :
174185 context : .
@@ -179,6 +190,21 @@ jobs:
179190 cache-from : type=gha
180191 cache-to : type=gha,mode=max
181192
193+ # Sign the resulting Docker image digest except on PRs.
194+ # This will only write to the public Rekor transparency log when the Docker
195+ # repository is public to avoid leaking data. If you would like to publish
196+ # transparency data even for private images, pass --force to cosign below.
197+ # https://github.com/sigstore/cosign
198+ - name : Sign the published Docker image
199+ if : ${{ startsWith(github.ref, 'refs/tags/') }}
200+ env :
201+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
202+ TAGS : ${{ steps.meta.outputs.tags }}
203+ DIGEST : ${{ steps.build-and-push.outputs.digest }}
204+ # This step uses the identity token to provision an ephemeral certificate
205+ # against the sigstore community Fulcio instance.
206+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
207+
182208 github-release :
183209 name : Create/Update GitHub Release
184210 permissions :
0 commit comments