diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 700dfb38..fbe97da4 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -102,6 +102,13 @@ jobs: # Run only on tagging if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + steps: - name: Set env @@ -126,11 +133,26 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - + name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main - name: Download a single artifact uses: actions/download-artifact@v2 with: name: Package + - + name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v3 + with: + images: anhefti/seb-server + tags: | + type=raw,${{ env.TAG_NAME }} - name: Build and push id: docker_build @@ -140,4 +162,17 @@ jobs: file: ./docker/Dockerfile push: true tags: | - anhefti/seb-server:${{ env.TAG_NAME }} \ No newline at end of file + anhefti/seb-server:${{ env.TAG_NAME }} + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign ${TAGS} + env: + COSIGN_EXPERIMENTAL: true + TAGS: ${{ steps.meta.outputs.tags }}