WIP sign images after build

3lvia · Jan 8, 2025 · fcca139 · fcca139
1 parent 0a7a617
commit fcca139
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/build/action.yml b/build/action.yml
@@ -163,6 +163,10 @@ runs:
       with:
         version: '0.27.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
+    - name: Install Cosign if not using Elvia runner # TODO: install on Elvia runner
+      # if: ${{ !startsWith(runner.name, 'elvia-runner-') }}
+      uses: sigstore/cosign-installer@v3
+
     - name: Handle deprecated inputs
       shell: bash
       run: |
@@ -208,6 +212,15 @@ runs:
       run: |
         echo "image-name=$(cat /tmp/3lv-cli-output/image-name)" >> "$GITHUB_OUTPUT"
 
+    - name: Sign image with Cosign using GitHub OIDC token
+      shell: bash
+      run: |
+        image_name_without_tag=$(echo "$IMAGE_NAME" | cut -d ':' -f 1)
+        image_digest=$(docker manifest inspect "$IMAGE_NAME" | jq -r '.config.digest')
+        cosign sign --yes --oidc-provider=github-actions "$image_name_without_tag@$image_digest"
+      env:
+        IMAGE_NAME: ${{ steps.get-outputs.outputs.image-name }}
+
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}
       uses: github/codeql-action/upload-sarif@v3