bazzite/.github/workflows/sign_image.yml

name: Sign Image

# A workflow to sign an image on demand

on:
  workflow_dispatch:
    inputs:
      image:
        description: 'Image to sign, including the tag'
        required: true

jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Login to GHCR
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Get digest
        id: get-digest
        env:
          IMAGE_TO_SIGN: ${{ inputs.image }}
        run: |
          digest=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Digest}}')
          name=$(skopeo inspect docker://$IMAGE_TO_SIGN --format '{{.Name}}')
          echo "DIGEST=$digest" >> $GITHUB_OUTPUT
          echo "NAME=$name" >> $GITHUB_OUTPUT          

      - name: Setup Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Sign Image
        env:
          SIGNING_KEY: ${{ secrets.SIGNING_SECRET }}
          IMAGE_NAME: ${{ steps.get-digest.outputs.NAME }}
          IMAGE_DIGEST: ${{ steps.get-digest.outputs.DIGEST }}
        run: |
          cosign sign -y --key env://SIGNING_KEY $IMAGE_NAME@$IMAGE_DIGEST