ci: sign catalog YAML files (#135)

NiccoloFei · web-flow · commit 7cef8e5efee0 · 2026-03-10T21:32:14.000+01:00
Relates to cloudnative-pg/artifacts#9 Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
diff --git a/.github/workflows/update-catalogs.yml b/.github/workflows/update-catalogs.yml
@@ -16,7 +16,10 @@ defaults:
 
 jobs:
   update-catalogs:
+    name: Updating catalogs
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -43,6 +46,16 @@ jobs:
           module: ./dagger/maintenance/
           args: generate-catalogs --catalogs-dir artifacts/image-catalogs/ export --path artifacts/image-catalogs/
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+
+      - name: Sign catalogs
+        run: |
+          for file in artifacts/image-catalogs/*.yaml; do
+              echo "Signing $file..."
+              cosign sign-blob "$file" --bundle "$file.sigstore.json" --yes
+          done
+
       - name: Diff
         working-directory: artifacts
         run: |
