How to Sign a Container Image with Cosign in GitHub Actions
Keyless cosign signs an image against your workflow identity, with no key to manage.
Install cosign, push the image, then run cosign sign with id-token: write. Sigstore records the signature with your OIDC identity.
Steps
- Install cosign with
sigstore/cosign-installer. - Grant
id-token: writeandpackages: writepermissions. - Sign the pushed image by digest with
COSIGN_EXPERIMENTAL=1.
Workflow
.github/workflows/sign.yml
permissions:
id-token: write
packages: write
jobs:
sign:
runs-on: ubuntu-latest
steps:
- uses: sigstore/cosign-installer@v3
- id: build
uses: docker/build-push-action@v6
with:
push: true
tags: ghcr.io/${{ github.repository }}:latest
- run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}Gotchas
- Sign by digest, not by tag; a tag can be repointed at a different image.
- Verify with
cosign verifyand the expected workflow identity in your deploy gate.
Related guides
How to Generate an SBOM in GitHub ActionsGenerate a software bill of materials in GitHub Actions with Anchore Syft, producing an SPDX or CycloneDX SBO…
How to Publish a Docker Image to Docker Hub in GitHub ActionsBuild and push a Docker image to Docker Hub from GitHub Actions with docker/login-action and build-push-actio…