From 44e97a55e446774eb1e19dc3d782db77c37f3a51 Mon Sep 17 00:00:00 2001
From: Ramiz Polic <32913827+ramizpolic@users.noreply.github.com>
Date: Fri, 7 Jun 2024 15:17:55 +0200
Subject: [PATCH] feat(build): add image signing GH action (#82)

Signed-off-by: Ramiz Polic <ramiz.polic@hotmail.com>
---
 .github/workflows/artifacts.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 620c645..3faf732 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -66,6 +66,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
       - name: Set image name
         id: image-name
         run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
@@ -114,6 +117,18 @@ jobs:
           outputs: ${{ steps.build-output.outputs.value }}
           # push: ${{ inputs.publish }}
 
+      - name: Sign image with GitHub OIDC Token
+        if: inputs.publish
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
       - name: Set image ref
         id: image-ref
         run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"