Enable sigstore/cosign for container images (mtougeron#62)

Author: mtougeron

.github/workflows/publish.yml

@@ -30,6 +30,13 @@ jobs:
     if: github.event_name == 'push'
     # Ensure test job passes before pushing image.
     needs: test
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
     steps:
       -
         name: Checkout
@@ -73,3 +80,15 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
+
+      - uses: sigstore/cosign-installer@main
+
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data. https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign ${{ steps.docker_meta.outputs.tags }}@${{ steps.docker_build.outputs.digest }}

.gitignore

@@ -13,3 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+cosign.*