From 23e353cc0e84b0056d0288c558c5310873965d23 Mon Sep 17 00:00:00 2001
From: Enguerrand Allamel <enguerrand.allamel@ledger.fr>
Date: Thu, 12 Sep 2024 14:40:56 +0200
Subject: [PATCH] feat: add first version of the container sign action

---
 README.md                         | 14 +++++----
 actions/sign-container/README.md  | 49 +++++++++++++++++++++++++++++++
 actions/sign-container/action.yml | 27 +++++++++++++++++
 3 files changed, 85 insertions(+), 5 deletions(-)
 create mode 100644 actions/sign-container/README.md
 create mode 100644 actions/sign-container/action.yml

diff --git a/README.md b/README.md
index 32751c6..4a97434 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,16 @@ Github Action - Security actions and reusable workflow used at Ledger
 > [!TIP]
 > To benefit from the patch and minor upgrade, please use the major tag of the action that you are using
 
+> [!IMPORTANT]
+> Theses actions can require to define custom permission inside the Github Action Workflow where they are use. Like, `id-token: write`or `attestations: write`, please refer to the documenation of each action to have more informations.
+
 ## Actions
 
-| Path | Usage |
-| ------------- | ------------- |
-| actions/jfrog-login | This action is used to login to the JFrog Plateform of Ledger (Artifactory, Xray, etc.). |
-| actions/attest | This action is used to generate a provenance file and to sign it (attestation in-toto format). |
-| actions/sign-blob | This action is used to sign a blob in keyless mode based on Github OIDC token. |
+| Path | Last major version | Usage |
+| ------------- | ------------- | ------------- |
+| actions/jfrog-login | `actions/jfrog-login-1` | This action is used to login to the JFrog Plateform of Ledger (Artifactory, Xray, etc.). |
+| actions/attest | `actions/attest-1` | This action is used to generate a provenance file and to sign it (attestation in-toto format). |
+| actions/sign-blob | `actions/sign-blob-1` | This action is used to sign a blob in keyless mode based on Github OIDC token. |
+| actions/sign-container | `actions/sign-container-1` | This action is used to sign a container image with a list of tags in keyless mode based on Github OIDC token. |
 
 
diff --git a/actions/sign-container/README.md b/actions/sign-container/README.md
new file mode 100644
index 0000000..171bc6a
--- /dev/null
+++ b/actions/sign-container/README.md
@@ -0,0 +1,49 @@
+# Action: sign-blob
+
+<!-- action-docs-description source="action.yml" -->
+## Description
+
+This action is used to sign a container image with a list of tags in keyless mode based on Github OIDC token.
+<!-- action-docs-description source="action.yml" -->
+
+## Usage
+
+### Permissions
+```yaml
+permissions:
+    id-token: write
+```
+
+### Example Workflow
+```yaml
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Sign a blob
+        id: sign-blob
+        uses: LedgerHQ/actions-security/actions/sign-container@actions/sign-container-1
+        with:
+          tags: ""
+          disgest: ""
+```
+
+<!-- action-docs-inputs source="action.yml" -->
+## Inputs
+
+| name | description | required | default |
+| --- | --- | --- | --- |
+| `tags` | <p>List of tags to sign (based on the output of the docker/metadata-action)</p> | `true` | `""` |
+| `digest` | <p>Digest of the container image to sign (based on the output of the docker/build-push-action)</p> | `true` | `""` |
+<!-- action-docs-inputs source="action.yml" -->
+
+<!-- action-docs-outputs source="action.yml" -->
+
+<!-- action-docs-outputs source="action.yml" -->
+
+
+<!-- action-docs-runs source="action.yml" -->
+## Runs
+
+This action is a `composite` action.
+<!-- action-docs-runs source="action.yml" -->
\ No newline at end of file
diff --git a/actions/sign-container/action.yml b/actions/sign-container/action.yml
new file mode 100644
index 0000000..258b3b4
--- /dev/null
+++ b/actions/sign-container/action.yml
@@ -0,0 +1,27 @@
+name: "[Ledger Security] Sign container image"
+description: "This action is used to sign a container image with a list of tags in keyless mode based on Github OIDC token."
+
+inputs:
+  tags:
+    description: 'List of tags to sign (based on the output of the docker/metadata-action)'
+    required: true
+    default: ""
+  digest:
+    description: 'Digest of the container image to sign (based on the output of the docker/build-push-action)'
+    required: true
+    default: ""
+  
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+    - name: Sign containers images
+      shell: bash
+      run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
\ No newline at end of file