How to Build a Multi-Arch Image and Sign It in GitHub Actions
A multi-arch image without a signature is unverifiable; Cosign keyless signing binds it to the workflow that built it.
Build with docker/build-push-action for multiple platforms, then cosign sign the resulting digest keylessly via the OIDC token.
Steps
- Set up QEMU and Buildx for multi-platform builds.
- Build and push for
linux/amd64,linux/arm64, capturing the digest. - Install Cosign and sign the digest keylessly.
- Grant
id-token: writeso Cosign can fetch the OIDC token.
Workflow
.github/workflows/build-sign.yml
name: Build & Sign
on:
push:
branches: [main]
permissions:
id-token: write
packages: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- id: push
uses: docker/build-push-action@v6
with:
platforms: linux/amd64,linux/arm64
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.push.outputs.digest }}Related guides
How to Sign a Container Image with Cosign in GitHub ActionsSign a container image with Sigstore cosign in GitHub Actions using keyless OIDC signing, so consumers can ve…
How to Build a Multi-Arch Docker Image in GitHub ActionsBuild a multi-architecture Docker image (amd64 + arm64) in GitHub Actions with QEMU and Buildx, pushing a sin…