diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index f91f2e5..68a1f5d 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -18,6 +18,11 @@ jobs: - name: Set IMAGE run: echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}" - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Install cosign + if: github.ref == 'refs/heads/main' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + with: + cosign-release: v2.1.1 - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 @@ -35,6 +40,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + id: build-and-push with: context: ${{ env.IMAGE }} platforms: linux/amd64,linux/arm64 @@ -43,6 +49,18 @@ jobs: sbom: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - name: Sign the published Docker image + if: github.ref == 'refs/heads/main' + env: + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + COSIGN_PASSWORD: '' + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + run: \echo "${TAGS}" | \xargs -I {} cosign sign --key <(\echo "${COSIGN_PRIVATE_KEY}") --yes "{}@${DIGEST}" \ + -a "workflow=${{ github.workflow }}" \ + -a "repo=${{ github.repository }}" \ + -a "branch=${{ github.ref_name }}" \ + -a "ref=${{ github.sha }}" - name: Test the Docker image working-directory: ${{ env.IMAGE }} run: docker compose -f docker-compose.test.yml run sut