enable container signing

tuminoid · tuminoid · commit e09c2ecbc926 · 2025-12-05T15:09:17.000+02:00
This commit enables container signing for all images build from this
repository via build-images-action.yml and release.yml, both reusing
container-image-build.yml from project-infra.

All container images will be built with keyless signing, utilizing
short-lived Github Actions OIDC tokens (id-token: write) and the
certificates and transparency logs are utilizing Sigstore's public
Fulcio and Rekor services.

Signed-off-by: Tuomo Tanskanen &lt;tuomo.tanskanen@est.tech&gt;
diff --git a/.github/workflows/build-images-action.yml b/.github/workflows/build-images-action.yml
@@ -23,6 +23,7 @@ jobs:
       image-name: 'baremetal-operator'
       pushImage: true
       generate-sbom: true
+      sign-image: true
     secrets:
       QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
       QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -135,6 +135,7 @@ jobs:
       pushImage: true
       ref: ${{ needs.push_release_tags.outputs.release_tag }}
       generate-sbom: true
+      sign-image: true
     secrets:
       QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
       QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
