From 4939a636f93473d5965c3077c8a35964cd50e125 Mon Sep 17 00:00:00 2001
From: Markus Pesch <markus.pesch@cryptic.systems>
Date: Mon, 2 Feb 2026 20:01:30 +0100
Subject: [PATCH] feat(ci): sign container image

---
 .gitea/workflows/artifacthub-metadata.yaml | 24 +++++++++++-
 .gitea/workflows/release.yaml              |  5 +++
 .goreleaser.yaml                           | 45 ++++++++++++++++++++++
 3 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/artifacthub-metadata.yaml b/.gitea/workflows/artifacthub-metadata.yaml
index 9fb84ec..3861964 100644
--- a/.gitea/workflows/artifacthub-metadata.yaml
+++ b/.gitea/workflows/artifacthub-metadata.yaml
@@ -2,8 +2,8 @@ name: Upload ArtifactHub Metadata
 
 on:
   schedule:
-    - cron: '0 3 1 * *' 
-  workflow_dispatch: 
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
 
 jobs:
   upload-metadata:
@@ -11,6 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6.0.2
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
     - uses: docker/login-action@v3.7.0
       with:
         registry: git.cryptic.systems
@@ -28,8 +31,25 @@ jobs:
         oras push git.cryptic.systems/volker.raschek/dcmerge:artifacthub.io \
           --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
           artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to git.cryptic.systems
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
+
     - name: Push artifacthub-repo.yml to docker.io
       run: |
         oras push docker.io/volkerraschek/dcmerge:artifacthub.io \
           --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
           artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to docker.io
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push docker.io/volkerraschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
\ No newline at end of file
diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index b214542..3df0210 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -31,6 +31,9 @@ jobs:
             "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.deb"
         dpkg -i syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
         rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
     - uses: docker/setup-qemu-action@v3.7.0
     - uses: docker/setup-buildx-action@v3.12.0
     - uses: actions/setup-go@v6.2.0
@@ -42,6 +45,8 @@ jobs:
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
     - env:
+        COSIGN_PASSPHRASE: ${{ secrets.COSIGN_PASSPHRASE }}
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         GITEA_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
         GONOSUMDB: ${{ vars.GONOSUMDB }}
         GOPROXY: ${{ vars.GOPROXY }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 3307f7d..3985fa8 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -311,6 +311,51 @@ sboms:
   - "--enrich=all"
   - "--output=spdx-json=$document"
 
+docker_signs:
+- # ID of the sign config, must be unique.
+  # Only relevant if you want to produce some sort of signature file.
+  #
+  # Default: 'default'.
+  id: container-images
+
+  # Path to the signature command.
+  #
+  # Default: 'cosign'.
+  cmd: cosign
+
+  # Command line arguments for the command.
+  #
+  # Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"].
+  # Templates: allowed.
+  args:
+  - "sign"
+  - "--key=env://COSIGN_PRIVATE_KEY"
+  - "${artifact}@${digest}"
+  - "--yes"
+
+  # Which artifacts to sign.
+  #
+  #   all:       all artifacts
+  #   none:      no signing
+  #   images:    only docker images
+  #   manifests: only docker manifests
+  #   '':        images built by dockers_v2
+  #
+  # Default: ''.
+  artifacts: all
+
+  # IDs of the artifacts to sign.
+  ids:
+  - container-images
+
+  # Stdin data to be given to the signature command as stdin.
+  #
+  # Templates: allowed.
+  stdin: "{{ .Env.COSIGN_PASSPHRASE }}"
+
+  # StdinFile file to be given to the signature command as stdin.
+  # stdin_file: ./passphrase.key
+
 gitea_urls:
   api: https://git.cryptic.systems/api/v1
   download: https://git.cryptic.systems