build-docker-images: Sign our Docker images via OIDC

author Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 9 Sep 2025 10:38:03 +0000 (12:38 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Mon, 22 Sep 2025 12:30:45 +0000 (14:30 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 9 Sep 2025 10:38:03 +0000 (12:38 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Mon, 22 Sep 2025 12:30:45 +0000 (14:30 +0200)
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml

index 401aedb5232caf7b2f9b4811c1cdc1e40ca89448..175fe9fcd1b2991cfbe0a79f317399fe2f4a7b1d 100644 (file)
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -163,6 +163,8 @@ jobs:
      env:
        IMAGE_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
      steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
        - name: Download digests
          uses: actions/download-artifact@v4
          with:
@@ -194,6 +196,14 @@ jobs:
            TAG: ${{ steps.meta.outputs.version }}
          run: |
            echo "image-digest=$(docker buildx imagetools inspect $IMAGE_NAME:$TAG --format="{{json .Manifest}}" | jq -r .digest)" >> "$GITHUB_OUTPUT"
+      - name: Sign product image
+        id: sign-image
+        env:
+          TAG: |
+            ${{ env.IMAGE_NAME }}@${{ steps.get-image-digest.outputs.image-digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign --yes ${TAG}
  
    test-uploaded-images:
      name: test ${{ matrix.platform.arch }} uploaded images
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 9 Sep 2025 10:38:03 +0000 (12:38 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 22 Sep 2025 12:30:45 +0000 (14:30 +0200)