Skip to content

fix: sign Docker images with Cosign #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
noraeb merged 2 commits into from
May 12, 2026
Merged

fix: sign Docker images with Cosign #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5fe1c1a
fix: sign images with Cosign
noraeb May 8, 2026
93ae221
fix: delete broken workflow
noraeb May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 0 additions & 28 deletions .github/workflows/automate-projects.yml
View file
Open in desktop

This file was deleted.

11 changes: 11 additions & 0 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ on:

permissions:
contents: write
id-token: write
pull-requests: write

name: release-please
Expand Down Expand Up @@ -61,6 +62,10 @@ jobs:
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Install Cosign
if: ${{ steps.release.outputs.release_created }}
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

- name: Create custom Maven Settings.xml
if: ${{ steps.release.outputs.release_created }}
Expand All @@ -78,3 +83,9 @@ jobs:
run: ./mvnw -B -s custom_maven_settings.xml -Pnative-image,release clean deploy
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Sign Docker image with Cosign
if: ${{ steps.release.outputs.release_created }}
run: |
DIGEST=$(docker buildx imagetools inspect lfenergy/compas-sitipe-service:${{ steps.release.outputs.version }} --format '{{.Manifest.Digest}}')
cosign sign --yes lfenergy/compas-sitipe-service@"${DIGEST}"
15 changes: 15 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,21 @@ SPDX-License-Identifier: Apache-2.0
-->
# Security Policy

## Verifying Docker images

Docker images published by this project are signed using [Cosign](https://github.com/sigstore/cosign) keyless signing via [Sigstore](https://www.sigstore.dev/). Signatures are recorded in the public [Rekor](https://rekor.sigstore.dev/) transparency log — no private key is stored or required.

To verify an image, install Cosign ([instructions](https://docs.sigstore.dev/cosign/system_config/installation/)) and run:

```sh
cosign verify \
--certificate-identity "https://github.com/com-pas/compas-sitipe-service/.github/workflows/release-please.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
lfenergy/compas-sitipe-service:<tag>
```

Replace `<tag>` with the specific release tag (e.g. `v0.3.1`) or `latest`.

## Reporting a Vulnerability

Please go to [Security Advisories](https://github.com/com-pas/compas-sitipe-service/security/advisories) to privately report a security vulnerability,
Expand Down
Loading