WIP: enable signing with cosign

.github/workflows/ci.yml

@@ -28,6 +28,51 @@ env:
   BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
 
 jobs:
+  minimal-sign:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: action
+
+      -
+        name: Set up Cosign
+        uses: sigstore/cosign-installer@v3.2.0
+
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64
+          push: true
+          sign: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+
   minimal:
     runs-on: ubuntu-latest
     steps:
@@ -36,6 +81,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: action
+
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

action.yml

@@ -105,6 +105,10 @@ inputs:
     description: "GitHub Token used to authenticate against a repository for Git context"
     default: ${{ github.token }}
     required: false
+  sign:
+    description: "If true, sign the image with the GitHub Actions identity using Cosign."
+    default: 'false'
+    required: false
 
 outputs:
   imageid:

src/context.ts

@@ -38,6 +38,7 @@ export interface Inputs {
   target: string;
   ulimit: string[];
   githubToken: string;
+  sign: boolean;
 }
 
 export async function getInputs(): Promise<Inputs> {
@@ -72,7 +73,8 @@ export async function getInputs(): Promise<Inputs> {
     tags: Util.getInputList('tags'),
     target: core.getInput('target'),
     ulimit: Util.getInputList('ulimit', {ignoreComma: true}),
-    githubToken: core.getInput('github-token')
+    githubToken: core.getInput('github-token'),
+    sign: core.getBooleanInput('sign')
   };
 }
 

src/main.ts

@@ -2,6 +2,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as stateHelper from './state-helper';
 import * as core from '@actions/core';
+import * as io from '@actions/io';
 import * as actionsToolkit from '@docker/actions-toolkit';
 import {Context} from '@docker/actions-toolkit/lib/context';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
@@ -104,6 +105,48 @@ actionsToolkit.run(
         core.setOutput('metadata', metadata);
       });
     }
+
+    if (inputs.sign) {
+      // TODO: Check if `id-token: write` is specified and ID token is available.
+
+      // Check if cosign is installed.
+      const cosignAvailable = await io
+        .which('cosign', true)
+        .then(res => {
+          core.debug(`cosignAvailable ok: ${res}`);
+          return true;
+        })
+        .catch(error => {
+          core.debug(`cosignAvailable error: ${error}`);
+          return false;
+        });
+      if (!cosignAvailable) {
+        core.setFailed(`Cosign is required to sign. See https://github.com/sigstore/cosign-installer to set up cosign.`);
+        return;
+      }
+
+      await core.group(`Cosign version`, async () => {
+        await Exec.getExecOutput('cosign', ['version'], {
+          ignoreReturnCode: true
+        }).then(res => {
+          if (res.stderr.length > 0 && res.exitCode != 0) {
+            throw new Error(`cosign version failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+          }
+        });
+      });
+
+      if (!digest) {
+        throw new Error('Digest is required to sign.');
+      }
+
+      for (const img of inputs.tags) {
+        const ref = `${img}@${digest}`;
+        await core.group(`Signing image ${ref}`, async () => {
+          // TODO: Annotate with workflow run ID, etc, from env vars.
+          await Exec.exec('cosign', ['sign', ref, '--yes']);
+        });
+      }
+    }
   },
   // post
   async () => {