use cosign #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Attest | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: quay.io | |
| IMAGE_NAME: spentass/fosdem-2026 | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| actions: read | |
| contents: write | |
| attestations: write | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.24" | |
| - name: Build binary | |
| run: | | |
| go build -o build-sample main.go | |
| chmod +x build-sample | |
| - name: Log in to Quay | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Extract metadata for container image | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha,prefix={{branch}}- | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Build and push container image | |
| id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Containerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Generate SBOM for container image | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| output-file: build-sample-sbom.spdx.json | |
| artifact-name: "build-sample-sbom.spdx.json" | |
| - name: Sign container image with Cosign | |
| run: | | |
| cosign sign --yes \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| - name: Attest SBOM with Cosign | |
| run: | | |
| cosign attest --yes \ | |
| --predicate build-sample-sbom.spdx.json \ | |
| --type spdx \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| - name: Generate and attest SLSA provenance with Cosign | |
| run: | | |
| cosign attest --yes \ | |
| --predicate <(cosign generate-slsa-provenance \ | |
| --repo ${{ github.repository }} \ | |
| --run-id ${{ github.run_id }} \ | |
| --sha ${{ github.sha }}) \ | |
| --type slsaprovenance \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} |