feat: add first version of the container sign action

README.md

@@ -4,12 +4,16 @@ Github Action - Security actions and reusable workflow used at Ledger
 > [!TIP]
 > To benefit from the patch and minor upgrade, please use the major tag of the action that you are using
 
+> [!IMPORTANT]
+> Theses actions can require to define custom permission inside the Github Action Workflow where they are use. Like, `id-token: write`or `attestations: write`, please refer to the documenation of each action to have more informations.
+
 ## Actions
 
-| Path | Usage |
-| ------------- | ------------- |
-| actions/jfrog-login | This action is used to login to the JFrog Plateform of Ledger (Artifactory, Xray, etc.). |
-| actions/attest | This action is used to generate a provenance file and to sign it (attestation in-toto format). |
-| actions/sign-blob | This action is used to sign a blob in keyless mode based on Github OIDC token. |
+| Path | Last major version | Usage |
+| ------------- | ------------- | ------------- |
+| actions/jfrog-login | `actions/jfrog-login-1` | This action is used to login to the JFrog Plateform of Ledger (Artifactory, Xray, etc.). |
+| actions/attest | `actions/attest-1` | This action is used to generate a provenance file and to sign it (attestation in-toto format). |
+| actions/sign-blob | `actions/sign-blob-1` | This action is used to sign a blob in keyless mode based on Github OIDC token. |
+| actions/sign-container | `actions/sign-container-1` | This action is used to sign a container image with a list of tags in keyless mode based on Github OIDC token. |
 
 

actions/sign-container/README.md

@@ -0,0 +1,49 @@
+# Action: sign-blob
+
+<!-- action-docs-description source="action.yml" -->
+## Description
+
+This action is used to sign a container image with a list of tags in keyless mode based on Github OIDC token.
+<!-- action-docs-description source="action.yml" -->
+
+## Usage
+
+### Permissions
+```yaml
+permissions:
+    id-token: write
+```
+
+### Example Workflow
+```yaml
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Sign a blob
+        id: sign-blob
+        uses: LedgerHQ/actions-security/actions/sign-container@actions/sign-container-1
+        with:
+          tags: ""
+          disgest: ""
+```
+
+<!-- action-docs-inputs source="action.yml" -->
+## Inputs
+
+| name | description | required | default |
+| --- | --- | --- | --- |
+| `tags` | <p>List of tags to sign (based on the output of the docker/metadata-action)</p> | `true` | `""` |
+| `digest` | <p>Digest of the container image to sign (based on the output of the docker/build-push-action)</p> | `true` | `""` |
+<!-- action-docs-inputs source="action.yml" -->
+
+<!-- action-docs-outputs source="action.yml" -->
+
+<!-- action-docs-outputs source="action.yml" -->
+
+
+<!-- action-docs-runs source="action.yml" -->
+## Runs
+
+This action is a `composite` action.
+<!-- action-docs-runs source="action.yml" -->

actions/sign-container/action.yml

@@ -0,0 +1,27 @@
+name: "[Ledger Security] Sign container image"
+description: "This action is used to sign a container image with a list of tags in keyless mode based on Github OIDC token."
+
+inputs:
+  tags:
+    description: 'List of tags to sign (based on the output of the docker/metadata-action)'
+    required: true
+    default: ""
+  digest:
+    description: 'Digest of the container image to sign (based on the output of the docker/build-push-action)'
+    required: true
+    default: ""
+
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+    - name: Sign containers images
+      shell: bash
+      run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}