From 39f0d220e03e6d9d5a2772329f988185d193f58b Mon Sep 17 00:00:00 2001
From: Kegan Dougal <7190048+kegsay@users.noreply.github.com>
Date: Thu, 9 May 2024 16:03:29 +0100
Subject: [PATCH] Maybe sign releases

---
 .github/workflows/docker.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 37448d56..b853182b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -21,7 +21,10 @@ jobs:
       contents: read
       packages: write
       security-events: write # To upload Trivy sarif files
+      id-token: write # needed for signing the images with GitHub OIDC Token
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.3.0
       - name: Checkout
         uses: actions/checkout@v3
       - name: Set up QEMU
@@ -62,6 +65,18 @@ jobs:
             ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:latest
             ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
 
+      - name: Sign the images with GitHub OIDC Token
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        env:
+          DIGEST: ${{ steps.docker_build_sliding_sync_release.outputs.digest }}
+          TAGS: ghcr.io/${{ env.GHCR_NAMESPACE }}/sliding-sync:${{ github.ref_name }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with: