From 5bc8a78958d982f06a1e6605953913cdea182d30 Mon Sep 17 00:00:00 2001
From: Sam Simpson <sam.simpson@digital.cabinet-office.gov.uk>
Date: Wed, 17 Jan 2024 13:16:11 +0000
Subject: [PATCH] Add container signing workflow

---
 .github/workflows/build.yaml |  2 +-
 .github/workflows/sign.yaml  | 47 ++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/sign.yaml

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index e5cb68a..78f675b 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        version: ['3_1', '3_1_2', '3_2', '3_2_0']
+        version: ['3_2'] #['3_1', '3_1_2', '3_2', '3_2_0']
     permissions:
       packages: write
     steps:
diff --git a/.github/workflows/sign.yaml b/.github/workflows/sign.yaml
new file mode 100644
index 0000000..3d006d6
--- /dev/null
+++ b/.github/workflows/sign.yaml
@@ -0,0 +1,47 @@
+name: Sign container image
+
+on:
+  workflow_run:
+    workflows: ["Build and push images"]
+    types:
+      - completed
+  workflow_dispatch:
+  push:
+
+jobs:
+  sign:
+    name: Create attestation
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        version: ['3.1', '3.1.2', '3.2', '3.2.0']
+    permissions:
+      packages: write
+    steps:
+      - name: Login to GHCR
+        uses: docker/login-action@v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: sigstore/cosign-installer@v3.3.0
+      - uses: anchore/sbom-action/download-syft@v0
+        id: syft
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4.0.1
+        with:
+          # TODO: Remove long-lived keys and switch to OIDC once https://github.com/github/roadmap/issues/249 lands.
+          aws-access-key-id: ${{ secrets.AWS_GOVUK_ECR_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_GOVUK_ECR_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-1
+      - name: Create attestation
+        run: |
+          BASE_IMAGE='ghcr.io/alphagov/govuk-ruby-base:${{ matrix.version }}'
+          BUILDER_IMAGE='ghcr.io/alphagov/govuk-ruby-builder:${{ matrix.version }}'
+          SYFT='${{steps.syft.outputs.cmd }}'
+
+          $SYFT --output spdx-json "${BASE_IMAGE}" > base.spdx.json
+          $SYFT --output spdx-json "${BUILDER_IMAGE}" > builder.spdx.json
+
+          cosign attest -y --predicate base.spdx.json --key "awskms:///alias/container-signing-key" "${BASE_IMAGE}"
+          cosign attest -y --predicate builder.spdx.json --key "awskms:///alias/container-signing-key" "${BUILDER_IMAGE}"