add signing

.github/workflows/build.yml

@@ -26,15 +26,24 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Set Docker metadata
+        id: docker_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/some-natalie/jekyll-in-a-can
+          tags: |
+            type=sha,format=long
+            type=raw,value=latest
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
 
-      - name: Build and push
-        id: push
+      - name: Build and push the container
+        id: build-and-push
         uses: docker/build-push-action@v6
         with:
           file: ./Dockerfile
@@ -49,3 +58,17 @@ jobs:
           subject-name: ghcr.io/some-natalie/jekyll-in-a-can
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}