PR: Sign Docker image on release

.github/workflows/auto-assign-pr.yml

@@ -7,13 +7,8 @@ on:
   pull_request:
     types: [opened]
 
-permissions:
-  contents: read
-
 jobs:
   assignAuthor:
-    permissions:
-      issues: write  # for samspills/assign-pr-to-author
     runs-on: ubuntu-latest
     steps:
 

.github/workflows/release-build.yml

@@ -48,6 +48,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write # Used for identity challenge with sigstore/fulcio
+
     steps:
 
       - name: Harden Runner
@@ -58,6 +60,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@c68f43abf1ae5df2528c9c250088fa14ed2d0ef5
+        with:
+          cosign-release: 'v1.9.0'
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
         with:
@@ -72,9 +82,18 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build + Push Docker image
+        id: build-and-push
         uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      # Sign the Docker image digest
+      # Uses the identity token to provision an ephemeral certificate against the community Fulcio instance
+      # https://github.com/sigstore/cosign
+      - name: Sign the Docker image
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}