From d6e21d949270861167f6ab5f34c6f09dbb9098c5 Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Tue, 19 Mar 2024 19:15:20 -0600
Subject: [PATCH] Update dockerimage.yml

---
 .github/workflows/dockerimage.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index 4170a87..a3c693e 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -21,6 +21,11 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
+      - name: Install cosign
+        if: github.ref == 'refs/heads/main'
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.1.1'
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
       - uses: docker/metadata-action@v5
@@ -49,6 +54,16 @@ jobs:
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Sign the published Docker image
+        if: ${{ github.ref == 'refs/heads/main' }}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: \echo "${TAGS}" | \xargs -I {} cosign sign --yes {}@${DIGEST} \
+            -a "workflow=${{ github.workflow }}" \
+            -a "repo=${{ github.repository }}" \
+            -a "branch=${{ github.ref_name }}" \
+            -a "ref=${{ github.sha }}"
       - name: Test the Docker image
         working-directory: ${{ env.IMAGE }}
         run: docker compose -f docker-compose.test.yml run sut