From 8dff096f681acfa00eab6657947a0ffa2a64267d Mon Sep 17 00:00:00 2001
From: Jordi Massaguer Pla <jmassaguerpla@suse.com>
Date: Fri, 1 Dec 2023 11:57:21 +0100
Subject: [PATCH 1/3] CI: Add SBOM to publish workflow

Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.com>
---
 .github/workflows/publish_map.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish_map.yml b/.github/workflows/publish_map.yml
index 5fc67d6..149548f 100644
--- a/.github/workflows/publish_map.yml
+++ b/.github/workflows/publish_map.yml
@@ -53,7 +53,14 @@ jobs:
         monai-deploy package app --base nvcr.io/nvidia/pytorch:22.08-py3 --tag map-init:temp -l DEBUG
         docker images
         docker build --build-arg INIT_CONTAINER=map-init:temp -t map-final:temp app
+        echo "IMAGE_DIGEST=$(docker images --no-trunc -q map-final:temp)" >> $GITHUB_ENV 
         docker images
         monai-deploy run map tests/data/rtstructwriter/dcm tests/data/output
         ls tests/data/output
-        if test -f "tests/data/output/output-rt-struct.dcm"; then echo "Output RT Struct exists."; fi
\ No newline at end of file
+        if test -f "tests/data/output/output-rt-struct.dcm"; then echo "Output RT Struct exists."; fi
+    - name: Build Software Build of Materials
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ env.IMAGE_DIGEST }} 
+        format: spdx-json
+        output: sbom.spdx.json

From 506524d10cbb2245fbe46caf94f3ea95fc70094a Mon Sep 17 00:00:00 2001
From: Jordi Massaguer Pla <jmassaguerpla@suse.com>
Date: Fri, 1 Dec 2023 12:03:37 +0100
Subject: [PATCH 2/3] CI: Push container to ghcr.io

Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.com>
---
 .github/workflows/publish_map.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/publish_map.yml b/.github/workflows/publish_map.yml
index 149548f..f761db0 100644
--- a/.github/workflows/publish_map.yml
+++ b/.github/workflows/publish_map.yml
@@ -9,6 +9,10 @@ on:
 jobs:
   build:
 
+    permissions:
+      contents: read
+      packages: write
+
     runs-on: ${{ matrix.os }}
 
     strategy:
@@ -58,9 +62,23 @@ jobs:
         monai-deploy run map tests/data/rtstructwriter/dcm tests/data/output
         ls tests/data/output
         if test -f "tests/data/output/output-rt-struct.dcm"; then echo "Output RT Struct exists."; fi
+
     - name: Build Software Build of Materials
       uses: aquasecurity/trivy-action@master
       with:
         image-ref: ${{ env.IMAGE_DIGEST }} 
         format: spdx-json
         output: sbom.spdx.json
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Tag Docker image
+      run: docker tag map-final:temp ghcr.io/${{ github.repository }}/map-final:temp
+
+    - name: Push Docker image
+      run: docker push ghcr.io/${{ github.repository }}/map-final:temp

From 95bc6d5f416acec39611cc486b0aaa7719a8da78 Mon Sep 17 00:00:00 2001
From: Jordi Massaguer Pla <jmassaguerpla@suse.com>
Date: Fri, 1 Dec 2023 12:08:38 +0100
Subject: [PATCH 3/3] CI: Sign image and sbom attestations

Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.com>
---
 .github/workflows/publish_map.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/publish_map.yml b/.github/workflows/publish_map.yml
index f761db0..73e0d18 100644
--- a/.github/workflows/publish_map.yml
+++ b/.github/workflows/publish_map.yml
@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
 
     runs-on: ${{ matrix.os }}
 
@@ -82,3 +83,16 @@ jobs:
 
     - name: Push Docker image
       run: docker push ghcr.io/${{ github.repository }}/map-final:temp
+
+    - name: Install sigstore cosign
+      uses: sigstore/cosign-installer@main
+
+    - name: Sign image
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+      run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }}
+
+    - name: Sign attestations
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+      run: cosign attest --yes --type spdx --predicate sbom.spdx.json ghcr.io/${{ github.repository }}@${{ env.IMAGE_DIGEST }}