Merge pull request #64 from alphagov/samsimpson1/cosign

Add container signing workflow

.github/workflows/sign.yaml

@@ -0,0 +1,46 @@
+name: Sign container images
+
+on:
+  workflow_run:
+    workflows: ["Build and push images"]
+    types:
+      - completed
+  workflow_dispatch:
+
+jobs:
+  sign:
+    name: Create attestation
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        version: ['3.1', '3.1.2', '3.2', '3.2.0']
+    permissions:
+      packages: write
+    steps:
+      - name: Login to GHCR
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: sigstore/[email protected]
+      - uses: anchore/sbom-action/download-syft@v0
+        id: syft
+      - name: Configure AWS credentials
+        uses: aws-actions/[email protected]
+        with:
+          # TODO: Remove long-lived keys and switch to OIDC once https://github.com/github/roadmap/issues/249 lands.
+          aws-access-key-id: ${{ secrets.AWS_GOVUK_ECR_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_GOVUK_ECR_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-1
+      - name: Create attestation
+        run: |
+          BASE_IMAGE='ghcr.io/alphagov/govuk-ruby-base:${{ matrix.version }}'
+          BUILDER_IMAGE='ghcr.io/alphagov/govuk-ruby-builder:${{ matrix.version }}'
+          SYFT='${{steps.syft.outputs.cmd }}'
+
+          $SYFT --output spdx-json "${BASE_IMAGE}" > base.spdx.json
+          $SYFT --output spdx-json "${BUILDER_IMAGE}" > builder.spdx.json
+
+          cosign attest -y --predicate base.spdx.json --key "awskms:///alias/container-signing-key" "${BASE_IMAGE}"
+          cosign attest -y --predicate builder.spdx.json --key "awskms:///alias/container-signing-key" "${BUILDER_IMAGE}"