From baa24d6248ddb2a6db0263b07985896be94025b7 Mon Sep 17 00:00:00 2001
From: Till Klampaeckel <till@php.net>
Date: Wed, 10 Jun 2026 14:47:46 +0200
Subject: [PATCH] feat(release): sign images and attach SBOM, provenance

add SBOM and max-mode SLSA provenance attestations via buildx,
then sign each pushed tag by digest with cosign using keyless
GitHub OIDC.
---
 .github/workflows/release.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d3aecb1..5861481 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - id: load-registry-credentials
         uses: 1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0
@@ -40,9 +41,21 @@ jobs:
           images: |
             r.planetary-quantum.com/quantum-public/caddy
             ghcr.io/hostwithquantum/quantum-caddy
-      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+      - id: build
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: rootfs/
           push: true
+          sbom: true
+          provenance: mode=max
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        with:
+          cosign-release: 'v2.4.1'
+      - name: Sign images
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}