diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml index b923fd6..c3b5483 100644 --- a/.github/workflows/auto-assign-pr.yml +++ b/.github/workflows/auto-assign-pr.yml @@ -7,13 +7,8 @@ on: pull_request: types: [opened] -permissions: - contents: read - jobs: assignAuthor: - permissions: - issues: write # for samspills/assign-pr-to-author runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index dae8b11..5251474 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -48,6 +48,8 @@ jobs: permissions: contents: read packages: write + id-token: write # Used for identity challenge with sigstore/fulcio + steps: - name: Harden Runner @@ -58,6 +60,14 @@ jobs: - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf + - name: Install Cosign + uses: sigstore/cosign-installer@c68f43abf1ae5df2528c9c250088fa14ed2d0ef5 + with: + cosign-release: 'v1.9.0' + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 + - name: Login to GitHub Container Registry uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 with: @@ -72,9 +82,18 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build + Push Docker image + id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the Docker image digest + # Uses the identity token to provision an ephemeral certificate against the community Fulcio instance + # https://github.com/sigstore/cosign + - name: Sign the Docker image + env: + COSIGN_EXPERIMENTAL: "true" + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}