diff options
Diffstat (limited to '')
-rw-r--r-- | .github/workflows/docker.yml | 17 | ||||
-rw-r--r-- | changelog.d/16774.misc | 1 |
2 files changed, 17 insertions, 1 deletions
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 679b76440e..010bce863b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,7 +11,7 @@ on: permissions: contents: read packages: write - + id-token: write # needed for signing the images with GitHub OIDC Token jobs: build: runs-on: ubuntu-latest @@ -29,6 +29,9 @@ jobs: - name: Inspect builder run: docker buildx inspect + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + - name: Checkout repository uses: actions/checkout@v4 @@ -68,6 +71,7 @@ jobs: type=pep440,pattern={{raw}} - name: Build and push all platforms + id: build-and-push uses: docker/build-push-action@v5 with: push: true @@ -82,3 +86,14 @@ jobs: # https://github.com/rust-lang/cargo/issues/10583 build-args: | CARGO_NET_GIT_FETCH_WITH_CLI=true + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.set-tag.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} diff --git a/changelog.d/16774.misc b/changelog.d/16774.misc new file mode 100644 index 0000000000..c5ad9bf68c --- /dev/null +++ b/changelog.d/16774.misc @@ -0,0 +1 @@ +Sign the published docker image using [cosign](https://docs.sigstore.dev/). \ No newline at end of file |