ci(github-actions): Enable cosign for nightly builds

This patch adds a first PoC for cosign-signed container images. Cosign helps to authenticate the origin of a container image and is an important step towards supply chain integrity in the container ecosystem. This patch only introduces this change to nightly builds, in order to evaluate the changes before we utilise them for releases. Signed-off-by: Sheogorath <[email protected]>
hedgedoc · May 4, 2022 · 3389e61 · 3389e61
1 parent 3a15ab9
commit 3389e61
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   nightly:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       matrix:
         base: [debian, alpine]
@@ -18,6 +21,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.8.0'
+
       - name: Set date
         run: echo TODAY=$(date +%Y%m%d) >> $GITHUB_ENV
 
@@ -35,6 +43,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push image
+        id: build-push
         uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # tag=v2
         with:
           context: .
@@ -47,3 +56,9 @@ jobs:
           tags: |
             ${{ env.HEDGEDOC_IMAGE }}:${{ env.TODAY }}-${{ matrix.base }}
             ${{ env.HEDGEDOC_IMAGE }}:${{ matrix.base }}
+
+      - name: Sign the images with GitHub OIDC Token
+        run: cosign sign ${IMAGE}
+        env:
+          IMAGE: ${{ env.HEDGEDOC_IMAGE }}@${{ steps.push-step.outputs.digest }}
+          COSIGN_EXPERIMENTAL: 1