Image signing (#287)

* sign image

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>

.github/workflows/image.yaml

@@ -5,6 +5,11 @@ on:
       - v*
       - dev
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write 
+
 jobs:
   push-policy-reporter:
     runs-on: ubuntu-latest
@@ -41,6 +46,7 @@ jobs:
 
       - name: Build image and push to GitHub Container Registry
         uses: docker/build-push-action@v3
+        id: push
         with:
           push: true
           platforms: linux/arm64,linux/amd64,linux/s390x
@@ -49,3 +55,36 @@ jobs:
           tags: |
             ghcr.io/kyverno/policy-reporter:latest
             ghcr.io/kyverno/policy-reporter:${{ steps.params.outputs.version }}
+      
+      - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
+        with:
+          version: v1
+          args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
+      
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: policy-reporter-bom-cdx
+          path: policy-reporter-bom.cdx.json
+          
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+        with:
+          cosign-release: 'v1.13.0'
+
+      - shell: bash
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+          COSIGN_REPOSITORY: ghcr.io/kyverno/signatures
+        run: |
+          set -e
+          cosign sign \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.sha }}" \
+            ghcr.io/kyverno/policy-reporter@${{ steps.push.outputs.digest }}
+      
+      - shell: bash
+        env:
+          COSIGN_REPOSITORY: ghcr.io/kyverno/sbom
+        run: |
+          cosign attach sbom --sbom ./policy-reporter-bom.cdx.json --type cyclonedx ghcr.io/kyverno/policy-reporter@${{ steps.push.outputs.digest }}