sigstore.yml

on:
  ## This workflow only runs on the default branch
  release:
    types: [published]
  push:
    branches:
        - fix/oci-registry-format-signing-auth

jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    name: Sign Chart
    steps:
      - name: Checkout
        uses: actions/checkout@main
        with:
          fetch-depth: 0
      - name: Login to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.7.0
      - name: Check Cosign
        run: cosign version
      - name: Cosign with OIDC
        run: |
          # Get the latest tag
          LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1` | tr -d 'v')
          # Obtain the digest from this tag
          DIGEST=$(curl "https://hub.docker.com/v2/repositories/snyk/snyk-universal-broker/tags/${LATEST_TAG}" | jq '.digest' -r)
          # Sign the image, using GitHub as an OIDC provider
          cosign sign --yes snyk/snyk-universal-broker@${DIGEST}
          cosign sign --yes snyk/snyk-universal-broker:${LATEST_TAG}
      - name: Verify signature
        run: |
          cosign verify \
            snyk/snyk-universal-broker-helm@${DIGEST} \
            --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" \
            --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
          cosign verify \
            snyk/snyk-universal-broker-helm:${LATEST_TAG} \
            --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" \
            --certificate-oidc-issuer="https://token.actions.githubusercontent.com"