Sign Docker image with cosign (#8)

* Publish to GitHub container registry
* Sign and verify Docker image with cosign
* Update Readme

Author: AnHeuermann

.github/workflows/publish.yml

@@ -3,34 +3,69 @@ name: Publish Docker Image
 on:
   release:
     types: [published]
+  workflow_dispatch:
+
+# Required for cosign keyless (OIDC) to mint tokens
+permissions:
+  contents: read
+  packages: write
+  id-token: write # needed for signing the images with GitHub OIDC Token
 
 jobs:
   push_to_registry:
-    name: Push Docker image to Docker Hub
+    name: Push Docker image to GitHub Container registry
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/[email protected]
+
+      - name: Install cosign
+        uses: sigstore/[email protected]
 
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.6.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v5.8.0
         with:
-          images: OpenModelica/crossbuild
+          images: ghcr.io/openmodelica/crossbuild
+          tags: type=ref,event=release
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        id: build-and-push
+        uses: docker/[email protected]
         with:
           context: .
           file: ./Dockerfile
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
           push: true
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
+      - name: Verify signatures
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign verify ${images}

README.md

@@ -66,19 +66,9 @@ cmake --build build_linux64 --target create_fmu
 
 ### Release Versions
 
-The [publish.yml][gh-publish-file] workflow will build and
+The [publish.yml][gh-publish-file] workflow will build, sign and
 upload the Docker image to
-[OpenModelica/crossbuild][docker-hub] DockerHub for each release.
-
-To do it manually run:
-
-```bash
-export REGISTRY=openmodelica
-export TAG=v1.26.0
-docker login
-docker image tag crossbuild:$TAG $REGISTRY/crossbuild:$TAG
-docker push $REGISTRY/crossbuild:$TAG
-```
+[GitHub container registry][gh-container-registry] for each release.
 
 ### Development Versions
 
@@ -105,5 +95,4 @@ This repository is part of OpenModelica and licensed with
 [gh-publish-file]: ./.github/workflows/publish.yml
 [gh-build-file]: ./.github/workflows/build.yml
 [gh-container-registry]: https://github.com/OpenModelica/openmodelica-crossbuild/pkgs/container/crossbuild
-[docker-hub]: https://hub.docker.com/repository/docker/OpenModelica/crossbuild
 [osmc-license]: ./OSMC-License.txt