From 7d1680925a962c0f8a44273f1477100af291ee6d Mon Sep 17 00:00:00 2001 From: Martin Bruzina Date: Tue, 9 Dec 2025 12:28:48 +0100 Subject: [PATCH] feat: signing --- .github/workflows/release.yaml | 53 ++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dd06008..74efb81 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -84,3 +84,56 @@ jobs: IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" docker push "${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" docker push "${IMAGE_NAME}:latest" + + - name: Install cosign + uses: sigstore/cosign-installer@v2 + with: + version: latest + + - name: Prepare attestation predicate + run: | + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" + V_TAG="${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" + VERSION="${{ needs.semantic-release.outputs.next-version }}" + cat > predicate.json < cosign.key + chmod 600 cosign.key + + - name: Attest Docker image + run: | + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" + V_TAG="${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" + cosign attest --key cosign.key --predicate predicate.json "$V_TAG" + + - name: Verify attestation + env: + COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }} + run: | + echo "$COSIGN_PUBLIC_KEY" > cosign.pub + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/cpp-cli" + V_TAG="${IMAGE_NAME}:v${{ needs.semantic-release.outputs.next-version }}" + cosign verify-attestation --key cosign.pub "$V_TAG"