From 2471dff3a8777fe656182bcf936ac1ae7dd9ee28 Mon Sep 17 00:00:00 2001 From: SebClem Date: Tue, 10 Sep 2024 16:56:26 +0200 Subject: [PATCH] Sign docker image --- .github/workflows/build_addon.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/build_addon.yml b/.github/workflows/build_addon.yml index 924dfe2..c395ff3 100644 --- a/.github/workflows/build_addon.yml +++ b/.github/workflows/build_addon.yml @@ -101,6 +101,9 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Install Cosign + uses: sigstore/cosign-installer@v3.6.0 + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -148,6 +151,7 @@ jobs: - name: Build and push ${{matrix.arch}} uses: docker/build-push-action@v6 + id: build-and-push with: push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release') }} tags: ${{ steps.meta.outputs.tags }} @@ -162,6 +166,18 @@ jobs: context: ./${{env.TARGET}}/ platforms: ${{ matrix.arch_value }} + - name: Sign the images with GitHub OIDC Token + if: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release') }} + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + update_main_ha_repository: name: Update HA addon repository runs-on: ubuntu-latest