Merge pull request #168 from JupiterOne/SRE-1913

SRE-1805 - Sign Package Collector Image

.github/actions/sign_ghcr/action.yaml

@@ -0,0 +1,38 @@
+name: Sign Package Collector Image
+description: |
+  This action is responsible for signing the Docker image of the Package Collector
+  and pushing the signature to the GitHub Container Registry (GHCR).
+
+inputs:
+  image-name:
+    description: 'The name of the image.'
+    required: true
+  image-digest:
+    description: 'The digest of the image.'
+    required: true
+  PACKAGE_GITHUB_TOKEN:
+    description: 'GitHub Token to authenticate and sign with'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+    - name: Log into registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.PACKAGE_GITHUB_TOKEN }}
+    # Sign the Docker image (Using OIDC Token for "keyless signing")
+    # https://github.com/sigstore/cosign-installer
+    - name: Sign the images with GH OIDC Token
+      shell: bash
+      run: |
+        cosign sign -y $IMAGE
+      env:
+        COSIGN_REPOSITORY: ghcr.io/${{ inputs.image-name }}-signatures
+        IMAGE: ghcr.io/${{ inputs.image-name }}@${{ inputs.image-digest }}