Merge pull request #2 from jethome-iot/copilot/add-cosign-signing-docker-images

hacker-cb · web-flow · commit 58bdab94e711 · 2025-10-13T09:04:16.000+03:00
Add cosign signing for Docker images
diff --git a/.github/workflows/platformio.yml b/.github/workflows/platformio.yml
@@ -39,6 +39,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
       
     steps:
       - name: Checkout repository
@@ -112,6 +113,7 @@ jobs:
           fi
           
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v5
         with:
           context: images/platformio
@@ -120,4 +122,20 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: ${{ steps.cache.outputs.CACHE_FROM }}
           cache-to: ${{ steps.cache.outputs.CACHE_TO }}
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64
+          
+      - name: Install Cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@v3.5.0
+        
+      - name: Sign the published Docker image
+        if: github.event_name != 'pull_request'
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.tags.outputs.TAGS }}
+        run: |
+          images=""
+          for tag in ${TAGS//,/ }; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
diff --git a/README.md b/README.md
@@ -35,6 +35,8 @@ Images are automatically built and published to GHCR when:
 
 Each image has its own GitHub Actions workflow that only triggers when relevant files change.
 
+All published images are signed using [Cosign](https://github.com/sigstore/cosign) with keyless signing for enhanced security and supply chain integrity.
+
 ## License
 
 MIT License - see [LICENSE](LICENSE) file for details.
diff --git a/images/platformio/README.md b/images/platformio/README.md
@@ -60,6 +60,14 @@ pio run --environment esp32
 - `manual-YYYYMMDD-HHMMSS` - Manual workflow dispatch builds
 - `YYYY.MM.DD` - Date-based version tags
 
+All published images are signed using [Cosign](https://github.com/sigstore/cosign) for supply chain security. You can verify image signatures using:
+
+```bash
+cosign verify ghcr.io/jethome-iot/jethome-dev-platformio:latest \
+  --certificate-identity-regexp=https://github.com/jethome-iot/jethome-dev \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
 ## Environment Variables
 
 The image sets these PlatformIO environment variables:
