Skip to content

Bump cookiecutter template to 26afa8#708

Merged
esinsj merged 1 commit into
mainfrom
cruft/cookiecutter-template-26afa8
Jun 5, 2026
Merged

Bump cookiecutter template to 26afa8#708
esinsj merged 1 commit into
mainfrom
cruft/cookiecutter-template-26afa8

Conversation

@RKIMetadataExchange

@RKIMetadataExchange RKIMetadataExchange commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Changes

Conflicts

diff a/.github/workflows/release.yml b/.github/workflows/release.yml	(rejected hunks)
@@ -85,6 +85,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write  # Required for cosign signing
 
     steps:
       - name: Checkout repo
@@ -102,15 +103,29 @@ jobs:
           password: ${{secrets.GITHUB_TOKEN}}
 
       - name: Build, tag and push docker image
+        id: push_step
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v.7.1.0
         env:
           IMAGE: ghcr.io/${{ github.repository }}
           TAG: ${{ needs.release.outputs.tag }}
+        with:
+          push: true
+          tags: |
+            ${IMAGE}:latest
+            ${IMAGE}:${{ github.sha }}
+            ${IMAGE}:${TAG}
+          outputs: type=image,oci-mediatypes=true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Sign Docker image keyless
+        env:
+          IMAGE: ghcr.io/${{ github.repository }}@${{ steps.push_step.outputs.digest }}
         run: |
-          docker build . \
-          --tag ${IMAGE}:latest \
-          --tag ${IMAGE}:${{ github.sha }} \
-          --tag ${IMAGE}:${TAG}
-          docker push --all-tags ${IMAGE}
+          cosign sign --yes "$IMAGE"
 
   distribute:
     runs-on: ubuntu-latest
diff a/README.md b/README.md	(rejected hunks)
@@ -92,6 +92,13 @@ components of the MEx project are open-sourced under the same license as well.
 - run directly using docker `make run`
 - start with docker compose `make start`
 
+### Container verification
+
+Images released to GHCR are signed using [cosign](https://github.com/sigstore/cosign).
+
+To verify an image manually:
+`cosign verify --certificate-identity-regexp "https://github.com/robert-koch-institut/common" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ghcr.io/robert-koch-institut/common:<tag>`
+
 ## Commands
 
 - run `uv run {command} --help` to print instructions

@RKIMetadataExchange RKIMetadataExchange added the cruft Fight back against the boilerplate monster label Jun 5, 2026
@RKIMetadataExchange RKIMetadataExchange self-assigned this Jun 5, 2026
@esinsj esinsj merged commit ba86c26 into main Jun 5, 2026
16 checks passed
@esinsj esinsj deleted the cruft/cookiecutter-template-26afa8 branch June 5, 2026 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esinsj esinsj esinsj approved these changes

Assignees

@RKIMetadataExchange RKIMetadataExchange

Labels

cruft Fight back against the boilerplate monster

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RKIMetadataExchange @esinsj