ci: sign docker images with cosign and github oidc identity

sangwa · sangwa · commit 9366997cd9d5 · 2025-07-18T17:22:15.000+03:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -101,6 +101,20 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+
+      - name: Get Cosign OIDC Token
+        id: cosign-token
+        run: |
+          OIDC_TOKEN="$(
+            curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN"
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r .value
+          )"
+          test -n "$OIDC_TOKEN"
+          echo "::add-mask::$OIDC_TOKEN"
+          echo "token=$OIDC_TOKEN" >> $GITHUB_OUTPUT
+
       - name: Authenticate to AWS
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
@@ -134,6 +148,16 @@ jobs:
           push: true
           tags: ${{ steps.odyn-metadata.outputs.tags }}
 
+      - name: Sign Odyn Image
+        run: |
+          for tag in $tags
+          do
+            cosign sign --yes --identity-token "$COSIGN_OIDC_TOKEN" "$tag"
+          done
+        env:
+          tags: ${{ steps.odyn-metadata.outputs.tags }}
+          COSIGN_OIDC_TOKEN: ${{ steps.cosign-token.outputs.token }}
+
       - name: Generate Runtime Base Image Metadata
         id: wrapper-base-metadata
         uses: docker/metadata-action@v4
@@ -155,6 +179,16 @@ jobs:
           push: true
           tags: ${{ steps.wrapper-base-metadata.outputs.tags }}
 
+      - name: Sign Runtime Base Image
+        run: |
+          for tag in $tags
+          do
+            cosign sign --yes --identity-token "$COSIGN_OIDC_TOKEN" "$tag"
+          done
+        env:
+          tags: ${{ steps.wrapper-base-metadata.outputs.tags }}
+          COSIGN_OIDC_TOKEN: ${{ steps.cosign-token.outputs.token }}
+
       - name: Generate CLI Image Metadata
         id: cli-metadata
         uses: docker/metadata-action@v4
@@ -176,6 +210,16 @@ jobs:
           push: true
           tags: ${{ steps.cli-metadata.outputs.tags }}
 
+      - name: Sign CLI Image
+        run: |
+          for tag in $tags
+          do
+            cosign sign --yes --identity-token "$COSIGN_OIDC_TOKEN" "$tag"
+          done
+        env:
+          tags: ${{ steps.cli-metadata.outputs.tags }}
+          COSIGN_OIDC_TOKEN: ${{ steps.cosign-token.outputs.token }}
+
   upload-release-artifact:
     if: github.repository == 'EternisAI/enclaver' && github.ref_type == 'tag'
     needs: build-release-binaries
