chore(build): cosign images and the manifest as well

.github/workflows/release-snapshot.yaml

@@ -25,6 +25,10 @@ jobs:
         with:
           submodules: true
           fetch-depth: 0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.0.2'
       - name: Login to docker.io registry
         uses: docker/login-action@v2
         with:
@@ -43,8 +47,14 @@ jobs:
         run: |
           docker image tag tracee:latest aquasec/tracee:x86_64-dev
           docker image push aquasec/tracee:x86_64-dev
+        shell: bash
+      - name: Sign Docker image
+        run: |
+          cosign sign -y $(docker inspect --format='{{index .RepoDigests 0}}' aquasec/tracee:x86_64-dev)
+        shell: bash
   release-snapshot-aarch64:
     name: Release Snapshot (aarch64)
+    needs: [ release-snapshot-x86_64 ]
     runs-on: [ "github-self-hosted_ami-03217ce7c37572c4d_${{ github.event.number }}-${{ github.run_id }}" ]
     permissions:
       contents: read
@@ -56,6 +66,10 @@ jobs:
         with:
           submodules: true
           fetch-depth: 0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.0.2'
       - name: Login to docker.io registry
         uses: docker/login-action@v2
         with:
@@ -74,6 +88,11 @@ jobs:
         run: |
           docker image tag tracee:latest aquasec/tracee:aarch64-dev
           docker image push aquasec/tracee:aarch64-dev
+        shell: bash
+      - name: Sign Docker image
+        run: |
+          cosign sign -y $(docker inspect --format='{{index .RepoDigests 0}}' aquasec/tracee:aarch64-dev)
+        shell: bash
   release-snapshot:
     name: Release Snapshot
     needs: [release-snapshot-x86_64, release-snapshot-aarch64]
@@ -88,6 +107,10 @@ jobs:
         with:
           submodules: true
           fetch-depth: 0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.0.2'
       - name: Login to docker.io registry
         uses: docker/login-action@v2
         with:
@@ -101,3 +124,7 @@ jobs:
             aquasec/tracee:aarch64-dev
           docker manifest push aquasec/tracee:dev
         shell: bash
+      - name: Sign Docker image
+        run: |
+          cosign sign -y aquasec/tracee:dev
+        shell: bash

.github/workflows/release.yaml

@@ -55,9 +55,7 @@ jobs:
     name: Release (aarch64)
     env:
       GH_TOKEN: ${{ github.token }}
-    # only runs after x64 released
-    needs:
-      - release-x86_64
+    needs: [ release-x86_64 ]
     runs-on: [ "github-self-hosted_ami-03217ce7c37572c4d_${{ github.event.number }}-${{ github.run_id }}" ]
     permissions:
       contents: write
@@ -111,6 +109,10 @@ jobs:
           ref: ${{ github.event.inputs.ref }}
           submodules: true
           fetch-depth: 0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.0.2'
       - name: Login to docker.io registry
         uses: docker/login-action@v2
         with:
@@ -129,3 +131,9 @@ jobs:
           docker manifest push aquasec/tracee:latest
           docker manifest push aquasec/tracee:${TAG}
         shell: bash
+      - name: Sign the latest manifest with Cosign
+        run: |
+          TAG=$(echo ${{ github.event.inputs.ref }} | sed -e "s/v//gI")
+          cosign sign -y aquasec/tracee:latest
+          cosign sign -y aquasec/tracee:${TAG}
+        shell: bash

builder/Makefile.release

@@ -19,7 +19,6 @@ MAKEFLAGS += --no-print-directory
 #
 
 CMD_CHECKSUM ?= sha256sum
-CMD_COSIGN ?= cosign
 CMD_DOCKER ?= docker
 CMD_GIT ?= git
 CMD_GITHUB ?= gh