From 844a7ad668c5b88e34febd9881a553a56b395e42 Mon Sep 17 00:00:00 2001
From: simone ragonesi <102741679+R3DRUN3@users.noreply.github.com>
Date: Thu, 25 Jan 2024 08:20:03 +0100
Subject: [PATCH] ci: add sbom attestation step to release action (#2873)

Signed-off-by: r3drun3 <simone.ragonesi@sighup.io>
---
 .github/workflows/release.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 48c8ca6e3b..75930be135 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -202,6 +202,17 @@ jobs:
         with:
           tag_name: ${{ matrix.config.tagName }}
           files: ./sbom-${{ matrix.config.name }}.spdx.json
+
+      - name: Attest the Image with SBOM
+        env:
+          IMAGE_DIGEST: ${{ steps.docker_build_image.outputs.digest }}
+        run: |
+          cosign attest --yes --type spdx --predicate ./sbom-${{ matrix.config.name }}.spdx.json ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+          cosign verify-attestation --type spdx \
+            --certificate-identity-regexp="https://github.com/keptn/lifecycle-toolkit/.*" \
+            --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+            ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+
   update-examples:
     name: Update examples
     needs: