From f0fa2aa6bbe31ed6a4902b4a418af4e2fa88bf27 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Tue, 24 Aug 2021 17:58:54 +0300
Subject: [PATCH] Sign Flagger container images with cosign

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 .github/workflows/release.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3c88d307..c5dc1f8f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      - uses: sigstore/cosign-installer@main
       - name: Prepare
         id: prep
         run: |
@@ -52,9 +53,18 @@ jobs:
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
             org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+      - name: Sign image
+        run: |
+          echo -n "${{secrets.COSIGN_PASSWORD}}" | \
+          cosign sign -key ./cosign/cosign.key -a git_sha=$GITHUB_SHA \
+          ghcr.io/fluxcd/flagger:${{ steps.prep.outputs.VERSION }}
       - name: Check images
         run: |
           docker buildx imagetools inspect ghcr.io/fluxcd/flagger:${{ steps.prep.outputs.VERSION }}
+      - name: Verifiy image signature
+        run: |
+          cosign verify -key ./cosign/cosign.pub \
+          ghcr.io/fluxcd/flagger:${{ steps.prep.outputs.VERSION }}
       - name: Publish Helm charts
         uses: stefanprodan/helm-gh-pages@v1.3.0
         with: