feat: add cosign to sign the images (#137)

Using the output from the bake action, we sign every container image tag plus each specific digest using cosign. Closes #136 Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com> Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Co-authored-by: Francesco Canovai <francesco.canovai@enterprisedb.com> Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
2025-01-22 15:02:22 +01:00
parent 588f8dc7f8
commit 980c2fabc8
3 changed files with 61 additions and 0 deletions
--- a/BUILD.md
+++ b/BUILD.md
@@ -122,6 +122,13 @@ docker run -d --rm -p 5000:5000 --name registry registry:2
 This command runs a lightweight, temporary instance of the `registry:2`
 container on port `5000`.

+## Image Signing Workflow
+
+Postgres operand images are securely signed with [cosign](https://github.com/sigstore/cosign)
+based on their digest through a GitHub workflow, using the
+[`cosign-installer` action](https://github.com/marketplace/actions/cosign-installer), which leverages
+[short-lived tokens issued through OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect).
+
 ## Trademarks

 *[Postgres, PostgreSQL and the Slonik Logo](https://www.postgresql.org/about/policies/trademarks/)