feat: add cosign signing and SBOM to docker publish (#277)

retr0h · claude · web-flow · commit cb9c48b2de72 · 2026-03-15T21:05:32.000-07:00
* feat: add cosign signing and SBOM to docker publish Sign images with cosign using GitHub OIDC keyless signing. Generate SBOM via BuildKit's built-in SBOM generator. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: add cosign verification and SBOM to install docs Document image signing, signature verification, and SBOM download. Link to the GHCR package page. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * style: fix line wrapping in Docker install docs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: add Docker/cosign/SBOM badges and fix org references Add badges for GHCR container image, cosign signing, and SBOM. Fix all badge URLs from retr0h/osapi to osapi-io/osapi. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: link SBOM badge to install docs with download instructions 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: link cosign badge to install docs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -8,6 +8,7 @@ on:
 permissions:
   contents: read
   packages: write
+  id-token: write
 
 jobs:
   publish:
@@ -43,9 +44,19 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
+        id: build
         uses: docker/build-push-action@v7
         with:
           context: .
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/${{ github.repository }}:latest
+          sbom: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign image with cosign
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+        run: cosign sign --yes ghcr.io/${{ github.repository }}@${DIGEST}
diff --git a/README.md b/README.md
@@ -1,13 +1,16 @@
-[![release](https://img.shields.io/github/release/retr0h/osapi.svg?style=for-the-badge)](https://github.com/retr0h/osapi/releases/latest)
-[![codecov](https://img.shields.io/codecov/c/github/retr0h/osapi?token=NF0T86B1EP&style=for-the-badge)](https://codecov.io/gh/retr0h/osapi)
+[![release](https://img.shields.io/github/release/osapi-io/osapi.svg?style=for-the-badge)](https://github.com/osapi-io/osapi/releases/latest)
+[![codecov](https://img.shields.io/codecov/c/github/osapi-io/osapi?token=NF0T86B1EP&style=for-the-badge)](https://codecov.io/gh/osapi-io/osapi)
 [![go report card](https://goreportcard.com/badge/github.com/retr0h/osapi?style=for-the-badge)](https://goreportcard.com/report/github.com/retr0h/osapi)
 [![license](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge)](LICENSE)
-[![build](https://img.shields.io/github/actions/workflow/status/retr0h/osapi/go.yml?style=for-the-badge)](https://github.com/retr0h/osapi/actions/workflows/go.yml)
+[![build](https://img.shields.io/github/actions/workflow/status/osapi-io/osapi/go.yml?style=for-the-badge)](https://github.com/osapi-io/osapi/actions/workflows/go.yml)
+[![docker](https://img.shields.io/badge/ghcr.io-osapi-blue?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
+[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://osapi-io.github.io/osapi/#docker)
+[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://osapi-io.github.io/osapi/#docker)
 [![powered by](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=for-the-badge)](https://github.com/goreleaser)
 [![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge)](https://conventionalcommits.org)
 ![openapi initiative](https://img.shields.io/badge/openapiinitiative-%23000000.svg?style=for-the-badge&logo=openapiinitiative&logoColor=white)
 ![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)
-![gitHub commit activity](https://img.shields.io/github/commit-activity/m/retr0h/osapi?style=for-the-badge)
+![gitHub commit activity](https://img.shields.io/github/commit-activity/m/osapi-io/osapi?style=for-the-badge)
 
 # OS API
 
diff --git a/docs/docs/sidebar/intro.md b/docs/docs/sidebar/intro.md
@@ -25,14 +25,29 @@ Or download a prebuilt binary from the [releases][] page.
 
 ### Docker
 
-A distroless image is published to GitHub Container Registry on every commit to
-main:
+A multi-arch distroless image is published to [GitHub Container Registry][ghcr]
+on every commit to main. Images are signed with [cosign][] (keyless, via GitHub
+OIDC) and include an [SBOM][] attestation.
 
 ```bash
 docker pull ghcr.io/osapi-io/osapi:latest
 docker run ghcr.io/osapi-io/osapi:latest --help
 ```
 
+Verify the image signature:
+
+```bash
+cosign verify ghcr.io/osapi-io/osapi:latest \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp github.com/osapi-io/osapi
+```
+
+Download the SBOM:
+
+```bash
+cosign download sbom ghcr.io/osapi-io/osapi:latest
+```
+
 ## Quickstart
 
 Install OSAPI and start all three components in a single process:
@@ -96,4 +111,7 @@ osapi client health
 [Cockpit]: https://cockpit-project.org/
 [webmin]: https://webmin.com/
 [releases]: https://github.com/retr0h/osapi/releases
+[ghcr]: https://github.com/osapi-io/osapi/pkgs/container/osapi
+[cosign]: https://github.com/sigstore/cosign
+[SBOM]: https://en.wikipedia.org/wiki/Software_supply_chain
 <!-- prettier-ignore-end -->
