diff options
Diffstat (limited to '.github/workflows/docker.yml')
-rw-r--r-- | .github/workflows/docker.yml | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index ebad0d4a98..010bce863b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,7 +11,7 @@ on: permissions: contents: read packages: write - + id-token: write # needed for signing the images with GitHub OIDC Token jobs: build: runs-on: ubuntu-latest @@ -29,6 +29,9 @@ jobs: - name: Inspect builder run: docker buildx inspect + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + - name: Checkout repository uses: actions/checkout@v4 @@ -58,7 +61,7 @@ jobs: with: images: | docker.io/matrixdotorg/synapse - ghcr.io/matrix-org/synapse + ghcr.io/element-hq/synapse flavor: | latest=false tags: | @@ -68,6 +71,7 @@ jobs: type=pep440,pattern={{raw}} - name: Build and push all platforms + id: build-and-push uses: docker/build-push-action@v5 with: push: true @@ -82,3 +86,14 @@ jobs: # https://github.com/rust-lang/cargo/issues/10583 build-args: | CARGO_NET_GIT_FETCH_WITH_CLI=true + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.set-tag.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} |