Sign published image manifests with cosign

Wuodan · Wuodan · commit 2a526c857937 · 2026-03-17T02:35:14.000+01:00
Add keyless cosign signing for the published multi-arch manifests, including the canonical version tags and latest. The workflow now requests the OIDC token permission needed for GitHub-backed signing and signs the final manifest digests after publication.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -21,6 +21,10 @@ on:
 env:
   IMAGE_NAME: ${{ inputs.image_name || vars.IMAGE_NAME || 'nikolaik/python-nodejs' }}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   generate-matrix:
     name: Generate build matrix
@@ -116,6 +120,13 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v4.0.0
+
+      - name: Sign multi-arch manifest
+        run: |
+          digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:${{ matrix.key }}" | awk '/^Digest:/ {print $2}')"
+          cosign sign --yes "${IMAGE_NAME}@${digest}"
 
       - name: Add digest to build context
         run: |
