WIP sign images after build

build/action.yml

@@ -105,6 +105,9 @@ outputs:
   image-name:
     description: 'Name of the Docker image that was built, with tag.'
     value: ${{ steps.get-outputs.outputs.image-name }}
+  image-digest:
+    description: 'Name of the Docker image that was built, with digest.'
+    value: ${{ steps.get-outputs.outputs.image-name }}
 
 runs:
   using: 'composite'
@@ -163,6 +166,10 @@ runs:
       with:
         version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
+    - name: Install Cosign if not using Elvia runner # TODO: install on Elvia runner
+      # if: ${{ !startsWith(runner.name, 'elvia-runner-') }}
+      uses: sigstore/cosign-installer@v3
+
     - name: Handle deprecated inputs
       shell: bash
       run: |
@@ -206,7 +213,27 @@ runs:
       shell: bash
       id: get-outputs
       run: |
-        echo "image-name=$(cat /tmp/3lv-cli-output/image-name)" >> "$GITHUB_OUTPUT"
+        IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name)
+
+        echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
+        echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT"
+
+    - name: Sign image with Cosign using GitHub OIDC token
+      shell: bash
+      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_DIGEST"
+      env:
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
+
+    - name: Verify image signatue
+      shell: bash
+      run: |
+        cosign verify \
+          --certificate-identity "$CERTIFICATE_IDENTITY" \
+          --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+          "$IMAGE_DIGEST" | jq
+      env:
+        CERTIFICATE_IDENTITY: 'https://github.com/${{ github.workflow_ref }}'
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
 
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}