From 2471dff3a8777fe656182bcf936ac1ae7dd9ee28 Mon Sep 17 00:00:00 2001
From: SebClem <seb6596@gmail.com>
Date: Tue, 10 Sep 2024 16:56:26 +0200
Subject: [PATCH] Sign docker image

---
 .github/workflows/build_addon.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/build_addon.yml b/.github/workflows/build_addon.yml
index 924dfe2..c395ff3 100644
--- a/.github/workflows/build_addon.yml
+++ b/.github/workflows/build_addon.yml
@@ -101,6 +101,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -148,6 +151,7 @@ jobs:
 
       - name: Build and push ${{matrix.arch}}
         uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release') }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -162,6 +166,18 @@ jobs:
           context: ./${{env.TARGET}}/
           platforms: ${{ matrix.arch_value }}
 
+      - name: Sign the images with GitHub OIDC Token
+        if: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release') }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
   update_main_ha_repository:
     name: Update HA addon repository
     runs-on: ubuntu-latest