ci(workflow): add container image signing and verification with Cosign

stefaniuk · stefaniuk · commit 2bb91aab6bb7 · 2025-11-03T22:17:52.000Z
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
@@ -19,14 +19,14 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - name: "🔐 Generate GitHub App token"
+      - name: "🔐 Generate app token"
         uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.GH_VERSIONING_APP_ID || vars.NHS_GH_VERSIONING_APP_ID }}
           private-key: ${{ secrets.GH_VERSIONING_APP_PRIVATE_KEY || secrets.NHS_GH_VERSIONING_APP_PRIVATE_KEY }}
 
-      - name: "🙈 Mask App token"
+      - name: "🙈 Mask app token"
         run: echo "::add-mask::${{ steps.app-token.outputs.token }}"
 
       - name: "📥 Checkout repository"
@@ -82,7 +82,7 @@ jobs:
           GIT_COMMITTER_NAME: ${{ vars.GIT_SIGNING_BOT_NAME || vars.NHS_GIT_SIGNING_BOT_NAME }}
           GIT_COMMITTER_EMAIL: ${{ vars.GIT_SIGNING_BOT_EMAIL || vars.NHS_GIT_SIGNING_BOT_EMAIL }}
 
-      - name: "🔑 Login to GitHub Container Registry"
+      - name: "🔑 Login to container registry"
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -100,6 +100,23 @@ jobs:
           docker push ${IMAGE_NAME}:app-${VERSION}
           docker push ${IMAGE_NAME}:app-latest
 
+      - name: "🔏 Sign container image"
+        if: steps.release.outputs.new_release_published == 'true'
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY || secrets.NHS_COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD || secrets.NHS_COSIGN_PASSWORD }}
+          IMAGE_NAME: ghcr.io/${{ github.repository }}
+          VERSION: ${{ steps.release.outputs.new_release_version }}
+        run: |
+          wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
+          sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+          sudo chmod +x /usr/local/bin/cosign
+          echo "$COSIGN_PRIVATE_KEY" > cosign.key
+          cosign sign --key cosign.key ${IMAGE_NAME}:app-${VERSION}
+          cosign verify --key cosign.key ${IMAGE_NAME}:app-${VERSION}
+          cosign sign --key cosign.key ${IMAGE_NAME}:app-latest
+          cosign verify --key cosign.key ${IMAGE_NAME}:app-latest
+
       - name: "📝 Update release notes with image info"
         if: steps.release.outputs.new_release_published == 'true'
         env:
