From c17b2998f8331855c9739fa9534a1d9494c1a00d Mon Sep 17 00:00:00 2001
From: Laurent Broudoux <laurent.broudoux@gmail.com>
Date: Tue, 3 Dec 2024 17:32:47 +0100
Subject: [PATCH] ci: #62 Add cosign image signature + sbom + provenance
 Signed-off-by: Laurent Broudoux <laurent.broudoux@gmail.com>

---
 .github/workflows/build-verify.yml | 43 ++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 72b0bfc..b1746c2 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -12,7 +12,10 @@ on:
       - '.gitignore'
       - 'LICENSE'
       - '*.md'
-permissions: read-all
+permissions:
+  contents: read
+  id-token: write # needed for signing the images with GitHub OIDC Token
+
 jobs:
   build-verify-package:
     runs-on: ubuntu-latest
@@ -39,6 +42,9 @@ jobs:
             echo "PACKAGE_IMAGE=false" >> "$GITHUB_ENV"
           fi
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
       - name: Set up QEMU
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
         uses: docker/setup-qemu-action@v2
@@ -53,17 +59,32 @@ jobs:
           echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
           BUILDER=buildx-multi-arch
           docker buildx inspect $BUILDER || docker buildx create --name=$BUILDER --driver=docker-container --driver-opt=network=host
-      
+
       - name: Build and push container image
+        id: build-and-push
+        uses: docker/build-push-action@v4.0.0
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
+        with:
+          context: .
+          sbom: true
+          push: true
+          platforms: linux/amd64,linux/arm64
+          builder: buildx-multi-arch
+          file: Dockerfile
+          labels: |
+            org.opencontainers.image.revision=${GITHUB_SHA}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+          tags: quay.io/microcks/microcks-hub:${{env.IMAGE_TAG}}
+
+      - name: Sign the image with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: quay.io/microcks/microcks-hub:${{env.IMAGE_TAG}}
+          COSIGN_EXPERIMENTAL: "true"
         run: |
-          docker buildx build --push \
-            --platform=linux/amd64,linux/arm64 \
-            --builder=buildx-multi-arch \
-            --provenance=false \
-            --build-arg TAG=$IMAGE_TAG \
-            --file Dockerfile \
-            --label "org.opencontainers.image.revision=${GITHUB_SHA}" \
-            --label "org.opencontainers.image.created=${{ steps.date.outputs.date }}" \
-            --tag=quay.io/microcks/microcks-hub:$IMAGE_TAG .
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}