- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
# This step uses the identity token to provision an ephemeral
# certificate against the sigstore community Fulcio instance.
run: |
# We should be able to get the following (registry, name, tag) from the failing policy, right?
IMAGE_NAME=<registry>/<image-name>:<tag>
# Image should be already present locally. If not, we should consider if we can end up in a situation where the image is built, but it is not pushed yet at this step?
docker pull ${IMAGE_FULL_NAME}
# Get digest
IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
# Sign the image. We can consider if we should use the IMAGE_NAME directly (works with cosign) in case we cannot guarantee the digest above to correspond to the image being built.
cosign sign --yes ${IMAGE_DIGEST}
to the workflow that produces the container image we are checking.
The idea is to add something like:
to the workflow that produces the container image we are checking.