Sign main branch container builds with cosign (#194)

bitwarden · Dec 16, 2024 · f78640d · f78640d
1 parent f8aa9a9
commit f78640d
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -41,6 +41,9 @@ jobs:
     name: Build Docker images
     runs-on: ubuntu-22.04
     needs: build-artifacts
+    permissions:
+      security-events: write
+      id-token: write
     env:
       _AZ_REGISTRY: bitwardenprod.azurecr.io
       _PROJECT_NAME: key-connector
@@ -83,6 +86,7 @@ jobs:
           unzip KeyConnector.zip -d src/KeyConnector/obj/build-output/publish
 
       - name: Build Docker image
+        id: build-docker
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: src/KeyConnector
@@ -91,6 +95,23 @@ jobs:
           push: true
           tags: ${{ steps.image-name.outputs.name }}
 
+      - name: Install Cosign
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Sign image with Cosign
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
+        env:
+          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          TAGS: ${{ steps.image-name.outputs.name }}
+        run: |
+          IFS="," read -a tags <<< "${TAGS}"
+          images=""
+          for tag in "${tags[@]}"; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
       - name: Scan Docker image
         id: container-scan
         uses: anchore/scan-action@49e50b215b647c5ec97abb66f69af73c46a4ca08 # v5.0.1