From 2535a77c2b75deeef8cf646bd198fa905d3c1e54 Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Sun, 8 Mar 2026 20:26:06 -0700
Subject: [PATCH] Add cosign keyless signing to Docker image release

Signs the container image after push using Sigstore keyless signing
(GitHub Actions OIDC). This enables Kyverno signature verification
in the homelab-k8s cluster.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d314be3..6d878af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ env:
 permissions:
   contents: write
   packages: write
+  id-token: write
 
 jobs:
   create-release:
@@ -229,6 +230,7 @@ jobs:
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -240,5 +242,10 @@ jobs:
             ghcr.io/haasonsaas/diffscope:latest
             ghcr.io/haasonsaas/diffscope:${{ steps.get_version.outputs.VERSION }}
 
-  # Homebrew formula update can be added later when tap repository is created
-  # For now, users can use the install script or download binaries directly
\ No newline at end of file
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign image (keyless)
+        env:
+          IMAGE_REF: ghcr.io/haasonsaas/diffscope@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign --yes "${IMAGE_REF}"
\ No newline at end of file