Skip to content
This repository was archived by the owner on Nov 17, 2025. It is now read-only.

Commit 150d9d6

Browse files
kegsaykegsay
authored
Merge pull request #433 from matrix-org/kegan/sign
Sign releases
2 parents 8c76aad + 39f0d22 commit 150d9d6

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

.github/workflows/docker.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,10 @@ jobs:
2121
contents: read
2222
packages: write
2323
security-events: write # To upload Trivy sarif files
24+
id-token: write # needed for signing the images with GitHub OIDC Token
2425
steps:
26+
- name: Install Cosign
27+
uses: sigstore/cosign-installer@v3.3.0
2528
- name: Checkout
2629
uses: actions/checkout@v3
2730
- name: Set up QEMU
@@ -62,6 +65,18 @@ jobs:
6265
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
6366
ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
6467
68+
- name: Sign the images with GitHub OIDC Token
69+
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
70+
env:
71+
DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
72+
TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
73+
run: |
74+
images=""
75+
for tag in ${TAGS}; do
76+
images+="${tag}@${DIGEST} "
77+
done
78+
cosign sign --yes ${images}
79+
6580
- name: Run Trivy vulnerability scanner
6681
uses: aquasecurity/trivy-action@master
6782
with:

0 commit comments

Comments
 (0)