From 15ed500b3ee820f70fd023b328d8885fbf023888 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Thu, 8 Feb 2024 16:34:58 +0900
Subject: [PATCH] Prepare universal workflow

---
 .github/workflows/images_build.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml
index ccca09852..9fe28ce24 100644
--- a/.github/workflows/images_build.yml
+++ b/.github/workflows/images_build.yml
@@ -172,6 +172,11 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
+        with:
+          cosign-release: 'v2.1.1'
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
@@ -228,6 +233,17 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.docker_build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
       - name: Image digest
         run: |
             echo ${{ steps.docker_build.outputs.digest }}