feat(ci): sign container image

chore(deps): update oras to v1.3.0
fix(ci): use docker/login-action action
2026-02-02 20:18:06 +01:00 · 2026-02-01 22:33:06 +01:00 · 2026-02-01 22:26:53 +01:00 · 2026-02-01 22:22:14 +01:00 · 2026-02-01 11:16:20 +00:00 · 2026-02-01 10:55:21 +00:00
6 changed files with 114 additions and 9 deletions
--- a/.gitea/workflows/artifacthub-metadata.yaml
+++ b/.gitea/workflows/artifacthub-metadata.yaml
@@ -0,0 +1,55 @@
+name: Upload ArtifactHub Metadata
+
+on:
+  schedule:
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  upload-metadata:
+    name: "Upload artifacthub-repo.yml to OCI registry"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6.0.2
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
+    - uses: docker/login-action@v3.7.0
+      with:
+        registry: git.cryptic.systems
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+    - uses: docker/login-action@v3.7.0
+      with:
+        username: ${{ secrets.DOCKER_IO_USERNAME }}
+        password: ${{ secrets.DOCKER_IO_PASSWORD }}
+    - uses: oras-project/setup-oras@v1.2.4
+      with:
+        version: 1.3.0 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+    - name: Push artifacthub-repo.yml to git.cryptic.systems
+      run: |
+        oras push git.cryptic.systems/volker.raschek/dcmerge:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to git.cryptic.systems
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
+
+    - name: Push artifacthub-repo.yml to docker.io
+      run: |
+        oras push docker.io/volkerraschek/dcmerge:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to docker.io
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push docker.io/volkerraschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -31,17 +31,22 @@ jobs:
            "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.deb"
        dpkg -i syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
        rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
    - uses: docker/setup-qemu-action@v3.7.0
    - uses: docker/setup-buildx-action@v3.12.0
    - uses: actions/setup-go@v6.2.0
      with:
        go-version: stable
-    - uses: docker/login-action@v3.6.0
+    - uses: docker/login-action@v3.7.0
      with:
        registry: git.cryptic.systems
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
    - env:
+        COSIGN_PASSPHRASE: ${{ secrets.COSIGN_PASSPHRASE }}
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        GITEA_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
        GONOSUMDB: ${{ vars.GONOSUMDB }}
        GOPROXY: ${{ vars.GOPROXY }}
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -49,7 +49,6 @@ builds:
 changelog:
  filters:
    exclude:
-    - '^chore'
    - '^docs'
    - '^test'
    - Merge pull request
@@ -63,6 +62,9 @@ changelog:
  - title: "Bug fixes"
    regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
    order: 1
+  - title: Dependencies
+    regexp: '^.*?chore\(deps\):.+$'
+    order: 2
  - title: Others
    order: 999
  sort: asc
@@ -143,7 +145,7 @@ nfpms:
  description: |-
    dcmerge is a tool to merge docker-compose files from multiple resources.
    It supports merging local files and remote files via HTTP/HTTPS.
-  license: Apache 2.0
+  license: MIT
  formats:
  - deb
  - rpm
@@ -309,6 +311,51 @@ sboms:
  - "--enrich=all"
  - "--output=spdx-json=$document"

+docker_signs:
+- # ID of the sign config, must be unique.
+  # Only relevant if you want to produce some sort of signature file.
+  #
+  # Default: 'default'.
+  id: container-images
+
+  # Path to the signature command.
+  #
+  # Default: 'cosign'.
+  cmd: cosign
+
+  # Command line arguments for the command.
+  #
+  # Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"].
+  # Templates: allowed.
+  args:
+  - "sign"
+  - "--key=env://COSIGN_PRIVATE_KEY"
+  - "${artifact}@${digest}"
+  - "--yes"
+
+  # Which artifacts to sign.
+  #
+  #   all:       all artifacts
+  #   none:      no signing
+  #   images:    only docker images
+  #   manifests: only docker manifests
+  #   '':        images built by dockers_v2
+  #
+  # Default: ''.
+  artifacts: all
+
+  # IDs of the artifacts to sign.
+  ids:
+  - container-images
+
+  # Stdin data to be given to the signature command as stdin.
+  #
+  # Templates: allowed.
+  stdin: "{{ .Env.COSIGN_PASSPHRASE }}"
+
+  # StdinFile file to be given to the signature command as stdin.
+  # stdin_file: ./passphrase.key
+
 gitea_urls:
  api: https://git.cryptic.systems/api/v1
  download: https://git.cryptic.systems
--- a/Dockerfile.scratch
+++ b/Dockerfile.scratch
@@ -1,5 +1,4 @@
 FROM scratch AS build
-
-COPY dcmerge-* /usr/bin/dcmerge
-
+ARG TARGETPLATFORM
+COPY "${TARGETPLATFORM}/dcmerge" "/usr/bin/dcmerge"
 ENTRYPOINT [ "/usr/bin/dcmerge" ]
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # dcmerge

+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/dcmerge)](https://artifacthub.io/packages/search?repo=dcmerge)
 [![Docker Pulls](https://img.shields.io/docker/pulls/volkerraschek/dcmerge)](https://hub.docker.com/r/volkerraschek/dcmerge)

 `dcmerge` is a small program to merge docker-compose files from multiple sources. It is available via RPM and docker.
--- a/artifacthub-repo.yml
+++ b/artifacthub-repo.yml
@@ -1,3 +1 @@
 repositoryID: 2a061ce3-fe96-4fbe-b053-eccdb63001bc
-owners:
- name: Volker Raschek
Author	SHA1	Message	Date
Markus Pesch	4939a636f9	feat(ci): sign container image All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 11s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 6s Details Lint Markdown files / Run markdown linter (push) Successful in 4s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 28s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 24s Details Release / Release application (push) Successful in 5m56s Details Release / Upload Images to docker.io (push) Successful in 1m4s Details	2026-02-02 20:18:06 +01:00
Markus Pesch	84047787a5	chore(deps): update oras to v1.3.0 All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 15s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 30s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 10s Details Lint Markdown files / Run markdown linter (push) Successful in 8s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 24s Details	2026-02-01 22:33:06 +01:00
Markus Pesch	d1156ebc76	fix(ci): use docker/login-action action All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 13s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 10s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 31s Details Lint Markdown files / Run markdown linter (push) Successful in 5s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 23s Details	2026-02-01 22:26:53 +01:00
Markus Pesch	62711e0383	fix(ci): upload artifacthub.yaml into OCI registry All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 13s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 8s Details Lint Markdown files / Run markdown linter (push) Successful in 4s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 31s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 23s Details	2026-02-01 22:22:14 +01:00
CSRBot	af2c817043	Merge pull request 'chore(deps): update docker/login-action action to v3.7.0' (#126 ) from renovate/actions into master All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 13s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 9s Details Lint Markdown files / Run markdown linter (push) Successful in 7s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 30s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 23s Details	2026-02-01 11:16:20 +00:00
CSRBot	849ca6f376	chore(deps): update docker/login-action action to v3.7.0 All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (pull_request) Successful in 13s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 10s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (pull_request) Successful in 7s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 7s Details Lint Markdown files / Run markdown linter (pull_request) Successful in 5s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (pull_request) Successful in 32s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 28s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (pull_request) Successful in 27s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 24s Details	2026-02-01 10:55:21 +00:00
Markus Pesch	9a56601686	fix(artifacthub): adapt repository config All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 11s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 7s Details Lint Markdown files / Run markdown linter (push) Successful in 5s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 29s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 23s Details	2026-01-31 23:24:00 +01:00
Markus Pesch	02ae924b02	fix(Dockerfile): respect target platform All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 16s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 11s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 32s Details Lint Markdown files / Run markdown linter (push) Successful in 5s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 24s Details Release / Release application (push) Successful in 4m19s Details Release / Upload Images to docker.io (push) Successful in 1m2s Details	2026-01-31 23:13:20 +01:00
Markus Pesch	df8b3b4a8b	fix(goreleaser): add dependency updates in changelog All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 12s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 9s Details Lint Markdown files / Run markdown linter (push) Successful in 4s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 30s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 22s Details	2026-01-31 22:56:52 +01:00
Markus Pesch	c40b83e42a	docs(README): add badge from ArtifactHub All checks were successful Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 10s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 7s Details Lint Markdown files / Run markdown linter (push) Successful in 4s Details Update Docker Hub Description / update-description-on-hub-docker-io (push) Successful in 5s Details Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 31s Details Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 22s Details	2026-01-31 22:51:54 +01:00