From 4d1a3a5bf4b3c386502f5c9b9f2e603e11e263e0 Mon Sep 17 00:00:00 2001
From: stephen-fox <stephen.j.fox.jr@gmail.com>
Date: Mon, 27 Nov 2023 14:07:42 -0500
Subject: [PATCH] ci: Use cosign plugin to sign container images. (#202)

This commit adds the cosign-buildkite-plugin to the CI pipeline. [1]
cosign is an open-source tool developed by Chainguard that signs
container images, allowing other users to cryptographically verify
the origin of container images.

cosign has different operating modes. This commit utilizes Chainguard's
signing infrastructure via "keyless signing". [2] Keyless signing makes
image signing easy for open-source projects because Chainguard operates
the signing infrastructure on behalf of others.

References

1. https://github.com/equinixmetal-buildkite/cosign-buildkite-plugin
2. https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/#keyless-signing
---
 .buildkite/pipeline.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 744962a..8cdb8e9 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -55,6 +55,9 @@ steps:
           push: true
           build-args:
             - NAME=${APP_NAME}
+      - equinixmetal-buildkite/cosign#main:
+          image: "${IMAGE_REPO}:${IMAGE_TAG}"
+          keyless: true
       - equinixmetal-buildkite/trivy#v1.18.3:
           severity: CRITICAL,HIGH
           ignore-unfixed: true