Skip to content

Sign and attest Docker Hub image #851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
martincostello merged 5 commits into from
Nov 7, 2025
Merged

Sign and attest Docker Hub image #851

martincostello merged 5 commits into from
Nov 7, 2025

Conversation

@martincostello
Copy link
Member

@martincostello martincostello commented Nov 6, 2025

Add steps to attest and sign the images pushed to Docker Hub with GitHub Attestations and Cosign.

Copilot AI review requested due to automatic review settings November 6, 2025 14:56
@martincostello martincostello mentioned this pull request Nov 6, 2025
Merged
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds container image signing using cosign to enhance supply chain security for the published container images. The changes implement keyless signing via GitHub OIDC and provide verification instructions for users.

  • Implements cosign signing for container images in the release workflow
  • Adds artifact attestation for build provenance
  • Documents signature verification process in README

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/release.yml Adds cosign installation, image signing step, artifact attestation, and updates permissions for OIDC token access
README.md Documents how to verify container image signatures using cosign with example commands and adds cosign reference link

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@martincostello martincostello changed the title Sign and attest GHCR image Sign and attest Docker Hub image Nov 6, 2025
@martincostello
Sign and attest GHCR image
eb900d8 
Add steps to attest and sign the images pushed to Docker Hub with GitHub Attestations and Cosign.
@martincostello
Reword section
664e3eb 
Make it explicit the command is an example.
Copilot AI review requested due to automatic review settings November 6, 2025 16:48
@martincostello martincostello force-pushed the cosign-dockerhub-images branch from b885629 to 664e3eb Compare November 6, 2025 16:48
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@martincostello
Add steps for verifying GHCR signing
c632115 
Also add instructions for CI images pushed to GHCR.
@martincostello
Make the linter happy
bd52af7 
Use a variable to make the URL shorter.
Copilot AI review requested due to automatic review settings November 6, 2025 17:00
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@martincostello
Fix URL
b7522f1 
Remove superfluous `$`.
@martincostello martincostello marked this pull request as ready for review November 6, 2025 17:07
Copilot AI review requested due to automatic review settings November 6, 2025 17:07
@martincostello martincostello enabled auto-merge (squash) November 6, 2025 17:07
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@martincostello martincostello merged commit 8ba0282 into main Nov 7, 2025
50 of 51 checks passed
@martincostello martincostello deleted the cosign-dockerhub-images branch November 7, 2025 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zeitlinger zeitlinger zeitlinger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martincostello @zeitlinger