# .gitea/workflows/build-sign-push.yaml name: build, sign and push on: push: branches: [main] env: REGISTRY: git.realmanual.ru IMAGE: git.realmanual.ru/${{ gitea.repository }} jobs: build-and-sign: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: checkout uses: actions/checkout@v4 # --- build --- - name: set up docker buildx uses: docker/setup-buildx-action@v3 - name: Read Version id: version run: echo "VERSION=$(cat image/VERSION)" >> $GITHUB_OUTPUT - name: login to registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ gitea.actor }} password: ${{ secrets.PUSH_TOKEN }} - name: build and push id: build uses: docker/build-push-action@v5 with: context: ./image push: true # тегируем и по SHA и по latest tags: | ${{ env.IMAGE }}:${{ gitea.sha }} ${{ env.IMAGE }}:${{ steps.version.outputs.VERSION }} # digest понадобится для подписи — по тегу подписывать нельзя outputs: type=image,push=true # --- sign --- # cosign надо ставить отдельно — в ubuntu-latest его нет - name: install cosign uses: sigstore/cosign-installer@v3 with: cosign-release: 'v3.0.5' - name: sign image env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} # digest в формате sha256:abc123... IMAGE_DIGEST: ${{ steps.build.outputs.digest }} run: | cosign sign --yes \ --key env://COSIGN_PRIVATE_KEY \ ${{ env.IMAGE }}@${IMAGE_DIGEST} # --- verify (self-check в CI) --- - name: verify signature env: IMAGE_DIGEST: ${{ steps.build.outputs.digest }} run: | cosign verify \ --key cosign.pub \ ${{ env.IMAGE }}@${IMAGE_DIGEST}