stacklok · lukehinds · Dec 12, 2024 · Dec 12, 2024
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
@@ -1,7 +1,7 @@
 name: Publish Docker Image
 on:
   schedule:
-    # Once weekly on fridays at noon
+    # Once weekly on Fridays at noon
     - cron: "00 12 * * 5"
   workflow_dispatch:
 
@@ -20,25 +20,25 @@ jobs:
       IMAGE_NAME: ${{ github.repository }}
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@v4
       - name: Set up QEMU for cross-platform builds
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
+        uses: docker/setup-buildx-action@v3
       - name: Compute version number
         id: version-string
         run: |
           DATE="$(date +%Y%m%d)"
           COMMIT="$(git rev-parse --short HEAD)"
-          echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT"
+          echo "tag=0.$DATE.$GITHUB_RUN_NUMBER-ref.$COMMIT" >> "$GITHUB_OUTPUT"
       - name: Login to GHCR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set container metadata
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+        uses: docker/metadata-action@v5
         id: docker-metadata
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -73,15 +73,13 @@ jobs:
         run: |
           git lfs install
           git lfs pull
-      - name: Build image
+      - name: Build and Push Image
         id: image-build
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v5
+        uses: docker/build-push-action@v5
         with:
-          github-token: ${{ github.token }}
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
-          file: ./Dockerfile
           tags: ${{ steps.docker-metadata.outputs.tags }}
           labels: ${{ steps.docker-metadata.outputs.labels }}
           cache-from: type=gha
@@ -90,15 +88,30 @@ jobs:
             gh_token=${{ secrets.GH_CI_TOKEN }}
           build-args: |
             LATEST_COMMIT_SHA=${{ env.LATEST_COMMIT_SHA }}
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - name: Capture Image Digest
+        id: image-digest
+        run: |
+          echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }})" >> "$GITHUB_OUTPUT"
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }}'
+          image-ref: '${{ steps.image-digest.outputs.digest }}'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.image-build.outputs.digest }}
+          TAGS: ${{ steps.docker-metadata.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+