add cosign of images in build workflow (#280)

2026-02-27 09:54:18 +08:00 · 2024-04-08 23:22:57 +02:00
parent 369a522b0b
commit 99c736955d
1 changed files with 30 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,6 +17,7 @@ on:

 permissions:
  contents: read
+  id-token: write
  packages: write

 jobs:
@@ -42,6 +43,10 @@ jobs:
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

+      - name: Install Cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@v3
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

@@ -79,6 +84,15 @@ jobs:
          build-args: |
            apiVersion=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }}

+      - name: Sign the images (with GitHub OIDC Token)
+        if: github.event_name != 'pull_request'
+        run: |
+          cosign sign --yes --recursive \
+            tobiasehlert/teslamateapi@${{ steps.docker_build.outputs.digest }}
+
+          cosign sign --yes --recursive \
+            ghcr.io/tobiasehlert/teslamateapi@${{ steps.docker_build.outputs.digest }}
+
      - name: Inspect image
        run: |
          echo "::group::Inspecting Manifest"
@@ -97,6 +111,22 @@ jobs:
          docker buildx imagetools inspect ${{ fromJson(steps.docker_meta.outputs.json).tags[0] }}@${{ steps.docker_build.outputs.digest }} --format '{{ json (index .SBOM "linux/amd64") }}'
          echo "::endgroup::"

+      - name: Verify cosign signatures
+        run: |
+          echo "::group::Verify signature (DockerHub)"
+          cosign verify --rekor-url https://rekor.sigstore.dev \
+            --certificate-identity "https://github.com/${{ github.repository }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            tobiasehlert/teslamateapi@${{ steps.docker_build.outputs.digest }}
+          echo "::endgroup::"
+
+          echo "::group::Verify signature (GitHub Container Registry)"
+          cosign verify --rekor-url https://rekor.sigstore.dev \
+            --certificate-identity "https://github.com/${{ github.repository }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            ghcr.io/tobiasehlert/teslamateapi@${{ steps.docker_build.outputs.digest }}
+          echo "::endgroup::"
+
  dockerhub:
    if: github.event_name == 'release'
    runs-on: ubuntu-latest