fix: added image signing

spectrocloud · Jan 8, 2024 · edaeeaa · edaeeaa
1 parent 5ac406a
commit edaeeaa
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -62,6 +62,7 @@ jobs:
     - name: Build and push
       if: ${{ steps.dependencies.outputs.VERSION != ''}}
       uses: docker/build-push-action@v2
+      id: build-and-push
       with:
         context: .
         build-args: |
@@ -74,7 +75,23 @@ jobs:
         platforms: linux/amd64,linux/arm64
         push: true
         tags: ghcr.io/${{ github.repository }}:${{steps.dependencies.outputs.VERSION}}
-
+
+    - uses: sigstore/[email protected]
+
+    - name: Image Signing
+        run: |
+          cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          -a "owner=Spectro Cloud" \
+          --key env://COSIGN_PRIVATE_KEY --recursive "${TAGS}@${DIGEST}"
+        env:
+          TAGS: ghcr.io/${{ github.repository }}:${{steps.dependencies.outputs.VERSION}}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
 
   release:
     name: "Release"