From 3dc29f2121e9fcb6e03886402ffe78709cbc3873 Mon Sep 17 00:00:00 2001
From: Julian Pollinger <julian@pollinger.dev>
Date: Sun, 30 Mar 2025 11:51:37 +0200
Subject: [PATCH] sign images in ci

---
 .gitea/workflows/build.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index d9e7770..dae2cc6 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -21,6 +21,11 @@ jobs:
           lfs: true
           submodules: true
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Check cosign install
+        run: cosign version
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -56,4 +61,10 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=registry,ref=harbor.pollinger.dev/build-cache/latex-build-container
-          cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=harbor.pollinger.dev/build-cache/latex-build-container
\ No newline at end of file
+          cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=harbor.pollinger.dev/build-cache/latex-build-container
+
+      - name: Sign the published server image
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
\ No newline at end of file