Merge pull request #1 from zcash/docker_sig_attest

Build, Attest (SBOM/Provenance) & Sign to Docker Hub

Author: y4ssi

.github/workflows/build-and-push-docker-hub.yaml

@@ -1,22 +1,22 @@
-name: Build and Push Docker Image to Docker Hub
+name: Build, Attest (SBOM/Provenance) & Sign to Docker Hub
 
 on:
   workflow_call:
     inputs:
       image_name:
-        description: "Name of the Docker image to build and push"
+        description: "Docker image name (e.g. user/repo)"
         required: true
         type: string
       image_tags:
-        description: "Comma-separated list of tags for the Docker image"
+        description: "Comma-separated list of tags"
         required: true
         type: string
       dockerfile:
         description: "Path to the Dockerfile"
         required: true
         type: string
       context:
-        description: "Build context for the Docker image"
+        description: "Build context"
         required: true
         type: string
       build-args:
@@ -26,51 +26,79 @@ on:
     secrets:
       dockerhub_registry:
         required: true
-        description: "Docker Hub registry URL (e.g., docker.io)"
+        description: "Docker Hub registry (e.g. docker.io)"
       dockerhub_username:
         required: true
         description: "Docker Hub username"
       dockerhub_password:
         required: true
         description: "Docker Hub password"
 
+permissions:
+  # Needed for keyless signing with Cosign and checkout
+  id-token: write
+  contents: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    env:
+      REGISTRY: ${{ secrets.dockerhub_registry }}
+      IMAGE_NAME: ${{ inputs.image_name }}
     steps:
-      - name: Set Docker Image Tags
+      - name: Compute Docker image tags
         id: set-tags
         run: |
+          set -euo pipefail
           TAGS="${{ inputs.image_tags }}"
-          REGISTRY="${{ secrets.dockerhub_registry }}/${{ inputs.image_name }}"
           IFS=',' read -ra ELEMENTS <<< "$TAGS"
           TAGS_FIXED=""
           for ELEMENT in "${ELEMENTS[@]}"; do
-            TAGS_FIXED+="$REGISTRY:$ELEMENT,"
+            TAGS_FIXED+="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$ELEMENT,"
           done
           TAGS_FIXED=${TAGS_FIXED%,}
           echo "tags_fixed=$TAGS_FIXED" >> $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker Hub
+      - name: Log in to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.dockerhub_username }}
           password: ${{ secrets.dockerhub_password }}
 
-      - name: Build and Push
-        uses: docker/build-push-action@v5
+      # Buildx will push:
+      # - Image (your tags)
+      # - SBOM as an OCI referrer (sbom: true)
+      # - SLSA provenance as an OCI referrer (provenance: true)
+      - name: Build & Push (with SBOM & provenance)
+        id: build
+        uses: docker/build-push-action@v6
         with:
           file: ${{ inputs.dockerfile }}
           context: ${{ inputs.context }}
           push: true
           tags: ${{ env.tags_fixed }}
-          build-args: ${{ inputs.build-args }}
+          # Input name has a hyphen → use index notation
+          build-args: ${{ inputs['build-args'] }}
+          sbom: true
+          provenance: true # or 'provenance: mode=max' if you prefer
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Cosign sign image by digest (keyless OIDC)
+        env:
+          IMAGE_REF: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          DIGEST: ${{ steps.build.outputs.digest }}
+        run: |
+          set -euo pipefail
+          echo "Signing $IMAGE_REF@$DIGEST"
+          cosign sign --yes "$IMAGE_REF@$DIGEST"