Sign container image with Sigstore cosign (#82)

* Update release.yaml - cosign sign Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr> * Update release.yaml Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr> --------- Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
score-spec · Nov 18, 2024 · 7dad4da · 7dad4da
1 parent 688fe71
commit 7dad4da
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,7 +3,10 @@ on:
   push:
     tags:
       - 0.**
-permissions: write-all
+permissions:
+  id-token: write
+  packages: write
+  contents: write
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -36,6 +39,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push docker image
+        id: build-push-container
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -44,3 +48,8 @@ jobs:
           tags: |
             ghcr.io/score-spec/score-k8s:${{ github.ref_name }}
             ghcr.io/score-spec/score-k8s:latest
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Sign container image
+        run: |
+          cosign sign --yes ghcr.io/score-spec/score-k8s@${{ steps.build-push-container.outputs.digest }}