The sign-container GitHub Action provides secure, keyless signing of container images with multiple tags using OIDC authentication based on GitHub's OIDC token. This action allows developers to sign container images without manually managing sensitive signing keys, enhancing the trust and integrity of containerized applications.
Designed for seamless integration within Ledger's CI/CD pipeline, the sign-container action automates the container signing process, ensuring that container images are securely signed and verifiable. By incorporating secure signing into your container deployment workflow, it helps protect against unauthorized modifications and ensures compliance with container security policies.
To enable this action to work properly, ensure the following permissions are set in your workflow:
permissions:
id-token: writeHere's how you can use the sign-container action within your workflow:
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Sign a container
id: sign-container
uses: LedgerHQ/actions-security/actions/sign-container@actions/sign-container-1
with:
tags: ""
disgest: ""| name | description | required | default |
|---|---|---|---|
tags |
List of tags to sign (based on the output of the docker/metadata-action) |
true |
"" |
digest |
Digest of the container image to sign (based on the output of the docker/build-push-action) |
true |
"" |
This action is a composite action, which allows us to combine multiple workflow steps into a single, reusable action. This promotes modularity and simplifies our workflows.