Merge pull request #44 from StacklokLabs/sign-image

Sign the mkp image with cosign

Author: JAORMX

.github/workflows/release.yml

@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -67,4 +68,20 @@ jobs:
             --platform=linux/amd64,linux/arm64 \
             --base-import-paths \
             --tags $VERSION,latest \
-            ./cmd/server
+            ./cmd/server
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      - name: Sign Image with Cosign
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/mkp
+        run: |
+          TAG=$(echo "${{ steps.tag.outputs.VERSION }}" | sed 's/+/_/g')
+          # Sign the ko image
+          cosign sign -y $KO_DOCKER_REPO:$TAG
+
+          # Sign the latest tag if building from a tag
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            cosign sign -y $KO_DOCKER_REPO:latest
+          fi

Taskfile.yml

@@ -49,11 +49,6 @@ tasks:
       - go fmt ./...
       - golangci-lint run --fix
 
-  lint:
-    desc: Lint the code
-    cmds:
-      - golangci-lint run
-
   deps:
     desc: Update dependencies
     cmds: