From 68bbd910c74dd2a4b128aaa6cb99fef63286751b Mon Sep 17 00:00:00 2001
From: PSanetra <code@psanetra.de>
Date: Fri, 9 Aug 2024 16:38:58 +0200
Subject: [PATCH] feat(image): Sign image with cosign

---
 .github/workflows/main.yaml   | 17 +++++++++++++++++
 .github/workflows/update.yaml | 15 +++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 79ec645..76efa0d 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -9,6 +9,8 @@ jobs:
   push_images:
     name: Test and Push Images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token
     strategy:
       matrix:
         # "{0}" will be replaced by the latest pushed nginx version
@@ -44,6 +46,8 @@ jobs:
           nginx-tag: "${{ steps.target_nginx_tag.outputs.tag }}"
           matrix-nginx: "${{ matrix.nginx }}"
           docker-repository: "${{ vars.DOCKER_REPOSITORY }}"
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
       - uses: docker/setup-qemu-action@v3
         name: Set up QEMU
       - uses: docker/setup-buildx-action@v3
@@ -55,6 +59,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - uses: docker/build-push-action@v6
         name: Build and push
+        id: build-and-push
         if: ${{ steps.target_tags.outputs.tags != '' }}
         with:
           context: .
@@ -65,3 +70,15 @@ jobs:
           build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }}
           provenance: mode=max
           sbom: true
+      - name: Sign the images with GitHub OIDC Token
+        if: ${{ steps.target_tags.outputs.tags != '' }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.target_tags.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS//,/ }; do
+            images+="${tag}@${DIGEST} "
+          done
+          echo '${{ secrets.DOCKER_PASSWORD }}' | cosign login ${{ vars.HELM_REGISTRY }} --username '${{ secrets.DOCKER_USERNAME }}' --password-stdin
+          cosign sign --yes ${images}
diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
index f846731..a9b539f 100644
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -11,6 +11,8 @@ jobs:
   rebase_images:
     name: Update Images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token
     strategy:
       matrix:
         spa_server_major_version: [ "latest", "1" ]
@@ -81,6 +83,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - uses: docker/build-push-action@v6
         name: Build and push
+        id: build-and-push
         if: ${{ steps.check_if_update_is_necessary.outputs.needs_update == 'true' && steps.target_image_name.outputs.tags != '' }}
         with:
           context: .
@@ -91,3 +94,15 @@ jobs:
           build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }}
           provenance: mode=max
           sbom: true
+      - name: Sign the images with GitHub OIDC Token
+        if: ${{ steps.target_tags.outputs.tags != '' }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.target_image_name.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS//,/ }; do
+            images+="${tag}@${DIGEST} "
+          done
+          echo '${{ secrets.DOCKER_PASSWORD }}' | cosign login ${{ vars.HELM_REGISTRY }} --username '${{ secrets.DOCKER_USERNAME }}' --password-stdin
+          cosign sign --yes ${images}