name: Sign Image # A workflow to sign an image on demand on: workflow_dispatch: inputs: image: description: 'Image to sign, including the tag' required: true jobs: sign: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: Checkout code uses: actions/checkout@v4 - name: Login to GHCR uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Get digest id: get-digest env: IMAGE_TO_SIGN: ${{ inputs.image }} run: | digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}') name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}') echo "DIGEST=$digest" >> $GITHUB_OUTPUT echo "NAME=$name" >> $GITHUB_OUTPUT - name: Setup Cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign Image env: SIGNING_KEY: ${{ secrets.SIGNING_SECRET }} IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }} IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }} run: | cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST