Sign images using Sigstore (#3707)

* Limit workflow job permissions to bare minimum

This allows to narrow down workflow permissions in GitHub settings

See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token

Signed-off-by: Marco Franssen <[email protected]>

* Add container signing using Sigstore keyless

Signed-off-by: Marco Franssen <[email protected]>

Signed-off-by: Marco Franssen <[email protected]>
Co-authored-by: Marcos Yacob <[email protected]>

.github/workflows/nightly_build.yaml

@@ -14,11 +14,19 @@ jobs:
 
     permissions:
       contents: read
+      id-token: write
       packages: write
 
+    env:
+      COSIGN_EXPERIMENTAL: 1
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: v1.13.1
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Build images

.github/workflows/release_build.yaml

@@ -570,11 +570,19 @@ jobs:
 
     permissions:
       contents: read
+      id-token: write
       packages: write
 
+    env:
+      COSIGN_EXPERIMENTAL: 1
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: v1.13.1
       - name: Download archived images
         uses: actions/download-artifact@v3
         with:

.github/workflows/scripts/push-images.sh

@@ -81,4 +81,8 @@ for img in "${OCI_IMAGES[@]}"; do
 
   regctl image import "${oci_dir}" "${image_variant}-image.tar"
   regctl image copy "${oci_dir}" "${image_to_push}"
+
+  image_digest="$(jq -r '.manifests[0].digest' "${ROOTDIR}oci/${image_variant}/index.json")"
+
+  cosign sign "${registry}/${img}@${image_digest}"
 done