From c37d499e59d6f3c6f95c93b128361c7153a771a1 Mon Sep 17 00:00:00 2001
From: Sam Clark <1059176+samhclark@users.noreply.github.com>
Date: Sun, 22 Sep 2024 12:21:38 -0500
Subject: [PATCH 1/2] Sign images with cosign

---
 .github/workflows/build.yaml | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 55845ad..79898b1 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -21,6 +21,12 @@ jobs:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
+      
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@v3.6.0
+        with:
+          cosign-release: 'v2.4.0'
 
       # Build image using Buildah action
       - name: Build Image
@@ -34,6 +40,14 @@ jobs:
             ${{ github.sha }}
             40
           oci: false
+      
+      - name: Log in to GitHub Container Registry
+        uses: redhat-actions/podman-login@v1
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io/${{ github.repository_owner }}
 
       - name: Push To GHCR
         uses: redhat-actions/push-to-registry@v2
@@ -48,13 +62,15 @@ jobs:
           extra-args: |
             --disable-content-trust
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        if: github.event_name != 'pull_request'
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Sign the published OCI image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          digest: ${{ steps.push.outputs.digest }}
+          fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} 
+        run: >
+          echo "${fully_qualified_image_names_json}" 
+          | jq -r '.[]' 
+          | xargs -I {} cosign sign --yes "{}@${digest}"
 
       - name: Echo outputs
         if: github.event_name != 'pull_request'

From 7cdff0a20c29c28e6a91e7f4c3ab9553538a99da Mon Sep 17 00:00:00 2001
From: Sam Clark <1059176+samhclark@users.noreply.github.com>
Date: Sun, 22 Sep 2024 12:21:54 -0500
Subject: [PATCH 2/2] Clean up workflow

---
 .github/workflows/build.yaml | 30 ++++++++++--------------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 79898b1..f01b8c3 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -7,19 +7,16 @@ on:
   workflow_dispatch:
 
 jobs:
-  build_custom_silverblue:
-    name: main
+  build-custom-silverblue:
+    name: Build, sign, then push
     runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
       id-token: write
-    strategy:
-      fail-fast: false
 
     steps:
-      # Checkout push-to-registry action GitHub repository
-      - name: Checkout Push to Registry action
+      - name: Checkout
         uses: actions/checkout@v4
       
       - name: Install cosign
@@ -28,9 +25,8 @@ jobs:
         with:
           cosign-release: 'v2.4.0'
 
-      # Build image using Buildah action
-      - name: Build Image
-        id: build_image
+      - name: Build image
+        id: build
         uses: redhat-actions/buildah-build@v2
         with:
           containerfiles: |
@@ -39,7 +35,6 @@ jobs:
           tags: |
             ${{ github.sha }}
             40
-          oci: false
       
       - name: Log in to GitHub Container Registry
         uses: redhat-actions/podman-login@v1
@@ -49,18 +44,14 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
 
-      - name: Push To GHCR
+      - name: Push to GitHub Container Registry
         uses: redhat-actions/push-to-registry@v2
         id: push
-        if: github.event_name != 'pull_request'
+        if: ${{ github.event_name != 'pull_request' }}
         with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
+          image: ${{ steps.build.outputs.image }}
+          tags: ${{ steps.build.outputs.tags }}
           registry: ghcr.io/${{ github.repository_owner }}
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-          extra-args: |
-            --disable-content-trust
 
       - name: Sign the published OCI image
         if: ${{ github.event_name != 'pull_request' }}
@@ -72,8 +63,7 @@ jobs:
           | jq -r '.[]' 
           | xargs -I {} cosign sign --yes "{}@${digest}"
 
-      - name: Echo outputs
+      - name: Echo outputs for auditing
         if: github.event_name != 'pull_request'
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"
-