diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dd06008..74efb81 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -84,3 +84,56 @@ jobs: IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" docker push "${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" docker push "${IMAGE_NAME}:latest" + + - name: Install cosign + uses: sigstore/cosign-installer@v2 + with: + version: latest + + - name: Prepare attestation predicate + run: | + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" + V_TAG="${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" + VERSION="${{ needs.semantic-release.outputs.next-version }}" + cat > predicate.json < cosign.key + chmod 600 cosign.key + + - name: Attest Docker image + run: | + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" + V_TAG="${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" + cosign attest --key cosign.key --predicate predicate.json "$V_TAG" + + - name: Verify attestation + env: + COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }} + run: | + echo "$COSIGN_PUBLIC_KEY" > cosign.pub + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" + V_TAG="${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" + cosign verify-attestation --key cosign.pub "$V_TAG"