Sign docker container during CICD build process

[Cyber-JiuJiteria]

Using the "Publish Docker Container By GitHub Actions" Github action configuration to add the cosign tool and perform container signing

`

  # Install the cosign tool except on PR
  # https://github.com/sigstore/cosign-installer
  - name: Install cosign
    if: github.event_name != 'pull_request'
    uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
    with:
      cosign-release: 'v1.13.1'

  # Extract metadata (tags, labels) for Docker
  # https://github.com/docker/metadata-action
  - name: Extract Docker metadata
    id: meta
    uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
    with:
      images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      

# Sign the resulting Docker image digest except on PRs.
  # This will only write to the public Rekor transparency log when the Docker
  # repository is public to avoid leaking data.  If you would like to publish
  # transparency data even for private images, pass --force to cosign below.
  # https://github.com/sigstore/cosign
  - name: Sign the published Docker image
    if: ${{ github.event_name != 'pull_request' }}
    env:
      COSIGN_EXPERIMENTAL: "true"
    # This step uses the identity token to provision an ephemeral certificate
    # against the sigstore community Fulcio instance.
    run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}

`

[agnes-sharan]

Hi is this repo open to contribution?

[JLLeitschuh]

It is! 🙂