From 258513d9cf5ad5293b42875135712cd80515fc18 Mon Sep 17 00:00:00 2001 From: Richard Boisvert Date: Mon, 9 Mar 2026 22:33:01 -0400 Subject: [PATCH] [DEVOPS-4325] ci: add cosign and provenance to docker image --- .github/workflows/build-image.yml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index a7c396f..e6f7b55 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -32,7 +32,7 @@ jobs: VERSION=$(gh release view --json tagName --jq .tagName --repo devolutions/prux) fi - gh release download $VERSION --repo devolutions/prux --pattern '*.tar.gz' + gh release download "$VERSION" --repo devolutions/prux --pattern '*.tar.gz' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -46,6 +46,9 @@ jobs: if: ${{ inputs.is_workflow_call }} uses: actions/download-artifact@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to DockerHub uses: docker/login-action@v3 with: @@ -54,14 +57,29 @@ jobs: - name: Build and push image id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . file: dockerfile/Dockerfile.GH + provenance: mode=max push: true + sbom: true tags: | devolutions/prux:${{ inputs.tag }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3.8.0 + with: + cosign-release: v2.4.1 + + - name: Sign image with Cosign + run: | + cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY \ + devolutions/prux@${{ steps.docker_build.outputs.digest }} + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + - name: Docker Scout uses: docker/scout-action@v1 with: