diff --git a/.github/workflows/docker-ghcr.yml b/.github/workflows/docker-ghcr.yml index 2638c93..a2bbd1f 100644 --- a/.github/workflows/docker-ghcr.yml +++ b/.github/workflows/docker-ghcr.yml @@ -8,6 +8,7 @@ on: permissions: contents: read packages: write + id-token: write env: REGISTRY: ghcr.io @@ -46,6 +47,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Login to GHCR if: github.event_name != 'pull_request' uses: docker/login-action@v4 @@ -81,3 +85,15 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.tags.outputs.full }} + - name: Sign images + if: github.event_name != 'pull_request' + env: + TAGS_MINIMAL: ${{ steps.tags.outputs.minimal }} + TAGS_BUSYBOX: ${{ steps.tags.outputs.busybox }} + TAGS_FULL: ${{ steps.tags.outputs.full }} + run: | + IFS=',' read -ra TAGS <<< "$TAGS_MINIMAL,$TAGS_BUSYBOX,$TAGS_FULL" + for tag in "${TAGS[@]}"; do + cosign sign --yes "$tag" + done + diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index dbc54f3..5464775 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,7 @@ on: permissions: contents: read + id-token: write env: REGISTRY: docker.io @@ -44,6 +45,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Login to Docker Hub if: github.event_name != 'pull_request' uses: docker/login-action@v4 @@ -77,3 +81,15 @@ jobs: platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.tags.outputs.full }} + + - name: Sign images + if: github.event_name != 'pull_request' + env: + TAGS_MINIMAL: ${{ steps.tags.outputs.minimal }} + TAGS_BUSYBOX: ${{ steps.tags.outputs.busybox }} + TAGS_FULL: ${{ steps.tags.outputs.full }} + run: | + IFS=',' read -ra TAGS <<< "$TAGS_MINIMAL,$TAGS_BUSYBOX,$TAGS_FULL" + for tag in "${TAGS[@]}"; do + cosign sign --yes "$tag" + done