From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 9 Sep 2025 10:38:03 +0000 (+0200)
Subject: build-docker-images: Sign our Docker images via OIDC
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=191d2046e648e668b4db3224f65707a11213ca7e;p=thirdparty%2Fpdns.git

build-docker-images: Sign our Docker images via OIDC

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index 401aedb52..175fe9fcd 100644
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -163,6 +163,8 @@ jobs:
     env:
       IMAGE_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
     steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
@@ -194,6 +196,14 @@ jobs:
           TAG: ${{ steps.meta.outputs.version }}
         run: |
           echo "image-digest=$(docker buildx imagetools inspect $IMAGE_NAME:$TAG --format="{{json .Manifest}}" | jq -r .digest)" >> "$GITHUB_OUTPUT"
+      - name: Sign product image
+        id: sign-image
+        env:
+          TAG: |
+            ${{ env.IMAGE_NAME }}@${{ steps.get-image-digest.outputs.image-digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign --yes ${TAG}
 
   test-uploaded-images:
     name: test ${{ matrix.platform.arch }} uploaded images