feat(docker): add image signature

Signed-off-by: Ludovic Ortega <[email protected]>
M0NsTeRRR · Nov 24, 2024 · 4f94500 · 4f94500
1 parent 8ac9e88
commit 4f94500
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 5 deletions.
diff --git a/src/git_automation/templates/workflow/docker.yml.j2 b/src/git_automation/templates/workflow/docker.yml.j2
@@ -5,7 +5,9 @@ docker:
   permissions:
     contents: read
     packages: write # needed for pushing docker image
-    id-token: write # needed for signing the images with GitHub OIDC Token
+  outputs:
+    tags: ${{ steps.meta.outputs.tags }}
+    digest: ${{ steps.build-and-push.outputs.digest }}
   strategy:
     matrix:
       platform:
@@ -23,14 +25,41 @@ docker:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Docker meta
+      id: meta 
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/sigstore/sample-honk
+        tags: |
+          type=ref,event=pr
+          type=sha
+          type=raw,value=latest
+          type=semver,pattern={{version}}
     - name: Build and push
+      id: build-and-push
       uses: docker/build-push-action@v6
       with:
         platforms: ${{ matrix.platform }}
         sbom: true
         provenance: true
         push: true
-        tags: |
-          ${{ github.repository }}:${{ github.ref_name }}
-          ${{ github.repository }}:latest
+        tags: ${{ steps.docker_meta.outputs.tags }}
+docker-sign:
+  name: Docker sign
+  runs-on: ubuntu-latest
+  permissions:
+    packages: write # needed for pushing docker signature
+    id-token: write # needed for signing the images with GitHub OIDC Token
+  needs: [docker]
+  steps:
+    - name: Sign the images with GitHub OIDC Token
+      env:
+        DIGEST: ${{ needs.docker.outputs.digest }}
+        TAGS: ${{ needs.docker.outputs.tags }}
+      run: |
+        images=""
+        for tag in ${TAGS}; do
+          images+="${tag}@${DIGEST} "
+        done
+        cosign sign --yes ${images}
 {%- endraw %}
diff --git a/src/git_automation/templates/workflow/release.yml.j2 b/src/git_automation/templates/workflow/release.yml.j2
@@ -13,7 +13,7 @@
 {%- if package %}
 {%- if language == "python" %}, publish-package{%- elif language == "go" %}, publish-binary{% endif -%}
 {% endif -%}
-{%- if docker %}, docker{% endif -%}
+{%- if docker %}, docker-sign{% endif -%}
 {%- endset %}
 name: {{ language }} release
 on: