From 110cbc69a502c6a98d7a94cb6e03e34f0490cab1 Mon Sep 17 00:00:00 2001
From: stephen-fox <stephen.j.fox.jr@gmail.com>
Date: Mon, 27 Nov 2023 14:07:34 -0500
Subject: [PATCH] ci: Use cosign plugin to sign container images. (#68)

This commit adds the cosign-buildkite-plugin to the CI pipeline. [1]
cosign is an open-source tool developed by Chainguard that signs
container images, allowing other users to cryptographically verify
the origin of container images.

cosign has different operating modes. This commit utilizes Chainguard's
signing infrastructure via "keyless signing". [2] Keyless signing makes
image signing easy for open-source projects because Chainguard operates
the signing infrastructure on behalf of others.

References

1. https://github.com/equinixmetal-buildkite/cosign-buildkite-plugin
2. https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/#keyless-signing
---
 .buildkite/pipeline.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 50f3f8e..f572bf8 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -55,6 +55,9 @@ steps:
           push: true
           build-args:
             - NAME=${APP_NAME}
+      - equinixmetal-buildkite/cosign#main:
+          image: "${IMAGE_REPO}:${IMAGE_TAG}"
+          keyless: true
       - equinixmetal-buildkite/trivy#v1.18.2:
           severity: CRITICAL,HIGH
           ignore-unfixed: true