airsonic-pulse/docs/security
litebito 55f1d1342f
ci: sign container images with Cosign on release (keyless OIDC) (#195)
Complete 13.1.0's supply-chain hardening sequence (following #175 SHA pinning
and #184 Actions major bumps) by signing every released container image
with Cosign keyless signing via GitHub Actions OIDC.

What changes in release.yml:
- Top-level permissions gain id-token: write for OIDC token issuance
- docker/build-push-action step gains id: build-push so its digest output
  can be referenced by the cosign step
- New Install Cosign step using sigstore/cosign-installer@v4.1.2
  (SHA-pinned matching the #175 convention; bundles Cosign 3.0.6 by default)
- New Sign image step calling cosign sign --yes against the manifest-list
  digest from build-push. Signing by digest covers both :<version> and
  (when applicable) :latest in a single call, and the manifest-list digest
  also covers both linux/amd64 and linux/arm64 platform layers.

See docs/security/image-verification.md for the verification command,
success/failure interpretation, and the full trust-model explanation.

fixes #183

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-18 18:51:45 +02:00
..
image-verification.md ci: sign container images with Cosign on release (keyless OIDC) (#195) 2026-05-18 18:51:45 +02:00