From e1d73208dd2a83206c6b655027339fe4830150d3 Mon Sep 17 00:00:00 2001
From: Stacky McStackface <github@stackable.de>
Date: Fri, 14 Jul 2023 08:34:51 +0000
Subject: [PATCH] Update templated files to rev ec01d15 (#300)

Automatically created PR based on commit ec01d153883ed8bc0a34a14489a9aebcee415017 in stackabletech/operator-templating repo.

Triggered by:
Manual run triggered by: dervoeti with message [Sign container images in Nexus]
---
 .github/workflows/build.yml |  4 ++++
 Makefile                    | 11 ++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f5f26466..fe88151e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -282,6 +282,8 @@ jobs:
       - tests_passed
       - select_helm_repo
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     env:
       NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
       HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }}
@@ -312,6 +314,8 @@ jobs:
         # Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
         # default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
         # This is needed for the HELM_REPO variable.
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@v3.0.5
       - name: Publish Docker image and Helm chart
         run: make -e publish
         # Output the name of the published image to the Job output for later use
diff --git a/Makefile b/Makefile
index 0fb4dfc9..a68ed088 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,16 @@ docker-build:
 
 docker-publish:
 	echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}"
-	docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}"
+	DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\
+	# Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
+	REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
+	if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
+		echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\
+		exit 1;\
+	fi;\
+	# This generates a signature and publishes it to the registry, next to the image\
+	# Uses the keyless signing flow with Github Actions as identity provider\
+	cosign sign -y ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE
 
 # TODO remove if not used/needed
 docker: docker-build docker-publish