feat(ci): sign container image

2026-02-02 20:01:30 +01:00
parent 84047787a5
commit bb24ce0e07
3 changed files with 72 additions and 2 deletions
--- a/.gitea/workflows/artifacthub-metadata.yaml
+++ b/.gitea/workflows/artifacthub-metadata.yaml
@@ -2,8 +2,8 @@ name: Upload ArtifactHub Metadata

 on:
  schedule:
-    - cron: '0 3 1 * *' 
-  workflow_dispatch: 
+    - cron: '0 3 1 * *'
+  workflow_dispatch:

 jobs:
  upload-metadata:
@@ -11,6 +11,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6.0.2
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
    - uses: docker/login-action@v3.7.0
      with:
        registry: git.cryptic.systems
@@ -28,8 +31,25 @@ jobs:
        oras push git.cryptic.systems/volker.raschek/dcmerge:artifacthub.io \
          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to git.cryptic.systems
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      run: |
+        cosign public-key --key env://COSIGN_PRIVATE_KEY > /tmp/cosign.pub
+        oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          /tmp/cosign.pub:application/vnd.dev.cosign.public-key.v1
+
    - name: Push artifacthub-repo.yml to docker.io
      run: |
        oras push docker.io/volkerraschek/dcmerge:artifacthub.io \
          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to docker.io
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      run: |
+        cosign public-key --key env://COSIGN_PRIVATE_KEY > /tmp/cosign.pub
+        oras push docker.io/volkerraschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          /tmp/cosign.pub:application/vnd.dev.cosign.public-key.v1