ci: sign also prod images

Signed-off-by: Francesco Canovai <[email protected]>

Author: fcanovai

.github/workflows/bake.yaml

@@ -15,7 +15,7 @@ on:
       target:
         type: string
         default: ""
-        description: "The target to build the image for comma separated list of targets"
+        description: "A comma separated list of targets to build. If empty, all targets will be built."
 
 jobs:
   # Start by building images for testing. We want to run security checks before pushing those to production.
@@ -26,6 +26,7 @@ jobs:
       contents: read
       packages: write
       security-events: write
+      # Required by the cosign step
       id-token: write
     outputs:
       metadata: ${{ steps.build.outputs.metadata }}
@@ -71,12 +72,14 @@ jobs:
       # Even if we're testing we sign the images, so we can push them to production later if that's required
       - name: Install cosign
         uses: sigstore/cosign-installer@v3
-      - name: Check Cosign install
-        run: cosign version
-      - name: Sign images using Cosing
+        # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
+        # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
+        # how to use cosign.
+      - name: Sign images
         run: |
-          images=""
-          images=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[] | "\(.["image.name"]) \(.["containerimage.digest"])"' | awk -F' ' '{split($1, a, ","); for(i in a) print a[i] "@" $2}' | tr '\n' ' ')
+          images=$(echo '${{ steps.build.outputs.metadata }}' |
+            jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
+          )
           cosign sign --yes ${images}
 
   security:
@@ -161,3 +164,15 @@ jobs:
           revision: ${{ github.sha }}
         with:
           push: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+        # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
+        # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
+        # how to use cosign.
+      - name: Sign images
+        run: |
+          images=$(echo '${{ steps.build.outputs.metadata }}' |
+            jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
+          )
+          cosign sign --yes ${images}