From a7fe2f73aa5115c65c28efd7ce94697279169695 Mon Sep 17 00:00:00 2001
From: Andreas Salhus Bakseter <141913422+baksetercx@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:10:24 +0100
Subject: [PATCH] WIP sign images after build

---
 .github/workflows/test-actions.yml |  4 +---
 build/action.yml                   | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
index 8962064..0777957 100644
--- a/.github/workflows/test-actions.yml
+++ b/.github/workflows/test-actions.yml
@@ -219,9 +219,7 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(needs.prepare-jobs.outputs.matrix-build) }}
     concurrency:
-      group: |
-        ${{ github.workflow }}-${{ github.event_name }}-${{ matrix.runner }}-${{ matrix.application-name }}-${{ matrix.project-file }}-${{ matrix.registry }}
-      cancel-in-progress: true
+      group: '${{ matrix.application-name }}-${{ matrix.registry }}'
     runs-on: ${{ matrix.runner }}
     permissions:
       actions: read
diff --git a/build/action.yml b/build/action.yml
index be0162c..f3c53d5 100644
--- a/build/action.yml
+++ b/build/action.yml
@@ -163,6 +163,10 @@ runs:
       with:
         version: '0.27.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
+    - name: Install Cosign if not using Elvia runner # TODO: install on Elvia runner
+      # if: ${{ !startsWith(runner.name, 'elvia-runner-') }}
+      uses: sigstore/cosign-installer@v3
+
     - name: Handle deprecated inputs
       shell: bash
       run: |
@@ -208,6 +212,20 @@ runs:
       run: |
         echo "image-name=$(cat /tmp/3lv-cli-output/image-name)" >> "$GITHUB_OUTPUT"
 
+    - name: Sign image with Cosign using GitHub OIDC token
+      shell: bash
+      run: |
+        image_name_without_tag=$(echo "$IMAGE_NAME" | cut -d ':' -f 1)
+        image_digest=$(docker manifest inspect "$IMAGE_NAME" | jq -r '.config.digest')
+        cosign sign \
+          --yes \
+          --registry-referrers-mode=oci-1-1 \
+          --tlog-upload=false \
+          "$image_name_without_tag@$image_digest"
+      env:
+        IMAGE_NAME: ${{ steps.get-outputs.outputs.image-name }}
+        COSIGN_EXPERIMENTAL: '1'
+
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}
       uses: github/codeql-action/upload-sarif@v3