summary refs log tree commit diff
path: root/.github/workflows/docker.yml
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows/docker.yml')
-rw-r--r--.github/workflows/docker.yml19
1 files changed, 17 insertions, 2 deletions
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index ebad0d4a98..010bce863b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -11,7 +11,7 @@ on:
 permissions:
   contents: read
   packages: write
-
+  id-token: write # needed for signing the images with GitHub OIDC Token
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -29,6 +29,9 @@ jobs:
       - name: Inspect builder
         run: docker buildx inspect
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.3.0
+
       - name: Checkout repository
         uses: actions/checkout@v4
 
@@ -58,7 +61,7 @@ jobs:
         with:
           images: |
             docker.io/matrixdotorg/synapse
-            ghcr.io/matrix-org/synapse
+            ghcr.io/element-hq/synapse
           flavor: |
             latest=false
           tags: |
@@ -68,6 +71,7 @@ jobs:
             type=pep440,pattern={{raw}}
 
       - name: Build and push all platforms
+        id: build-and-push
         uses: docker/build-push-action@v5
         with:
           push: true
@@ -82,3 +86,14 @@ jobs:
           # https://github.com/rust-lang/cargo/issues/10583
           build-args: |
             CARGO_NET_GIT_FETCH_WITH_CLI=true
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.set-tag.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}