From 72b4157b244fa3dfe67bfd4607e175ba8da9cf34 Mon Sep 17 00:00:00 2001 From: Imran Siddique Date: Sun, 5 Jul 2026 15:00:09 -0700 Subject: [PATCH] ci: sign published images (keyless cosign) and attest SLSA build provenance Images pushed to ghcr.io were unsigned with no provenance. Add keyless cosign signing of the pushed image by digest (OIDC, no keys) and an actions/attest-build-provenance SLSA provenance attestation pushed to the registry. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/docker.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 21c84b8..152b278 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -14,6 +14,8 @@ jobs: permissions: contents: read packages: write + id-token: write # keyless cosign signing + provenance attestation (OIDC) + attestations: write # actions/attest-build-provenance steps: - name: Checkout @@ -31,6 +33,7 @@ jobs: run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" - name: Build and push + id: build uses: docker/build-push-action@v7 with: context: . @@ -38,3 +41,18 @@ jobs: tags: | ghcr.io/agentrust-io/ca2a-runtime:${{ steps.tag.outputs.tag }} ghcr.io/agentrust-io/ca2a-runtime:latest + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + + - name: Sign the image (keyless, by digest) + env: + DIGEST: ${{ steps.build.outputs.digest }} + run: cosign sign --yes ghcr.io/agentrust-io/ca2a-runtime@${DIGEST} + + - name: Attest build provenance (SLSA) + uses: actions/attest-build-provenance@v2 + with: + subject-name: ghcr.io/agentrust-io/ca2a-runtime + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true