From e94ae4e95d7d44eb9b125dcd94addd23803dffa3 Mon Sep 17 00:00:00 2001
From: Jeff Larson <thejefflarson@gmail.com>
Date: Wed, 10 Jun 2026 03:03:27 -0700
Subject: [PATCH] ci: sign the image with cosign (keyless)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sign each pushed image by digest using keyless cosign — GitHub's OIDC token is
exchanged for a short-lived Fulcio cert and the signature is recorded in Rekor,
so there's no private key to manage. Adds id-token: write, installs cosign, and
signs ghcr.io/<owner>/watcher-server@<digest> reusing the existing GHCR login.

Verify with:
  cosign verify ghcr.io/thejefflarson/watcher-server@<digest> \
    --certificate-identity-regexp 'https://github.com/thejefflarson/watcher/\.github/workflows/ci\.yml@.*' \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 522136f..44a3482 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,6 +72,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write # keyless cosign signing (OIDC token -> Sigstore Fulcio)
     steps:
       - uses: actions/checkout@v6
       - name: Connect to BuildKit (mTLS)
@@ -101,6 +102,7 @@ jobs:
             type=raw,value=latest
             type=sha
       - uses: docker/build-push-action@v7
+        id: build
         with:
           context: .
           file: server/Dockerfile
@@ -108,3 +110,12 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - uses: sigstore/cosign-installer@v3
+      - name: Sign the image (keyless)
+        # Sign by immutable digest, not tag. Keyless: GitHub's OIDC token is
+        # exchanged for a short-lived Fulcio cert and the signature is recorded in
+        # the Rekor transparency log — no private key to store. cosign reuses the
+        # docker login above to push the signature to GHCR.
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+        run: cosign sign --yes "ghcr.io/${{ github.repository_owner }}/watcher-server@${DIGEST}"