Merge pull request #23 from yoshuawuyts/feature/keyless-signing

Feature/keyless signing

Author: yoshuawuyts

.github/workflows/publish.yml

@@ -8,10 +8,15 @@ on:
 
 env:
   IMAGE_NAME: ${{ github.repository }}
+  COMPONENT_NAME: rust-wasi-hello
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -20,7 +25,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/${{ github.actor }}/rust-wasi-hello
+          images: ghcr.io/${{ github.actor }}/{{ env.COMPONENT_NAME }}
           tags: |
             type=semver,pattern={{version}}
       - name: Login to GitHub Container Registry
@@ -30,6 +35,9 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
       - name: Cache cargo bin
         id: cache-cargo
         uses: actions/cache@v3
@@ -51,5 +59,13 @@ jobs:
       - name: Run build script
         run: bash scripts/build.sh
 
-      - name: Run publish script
-        run: bash scripts/publish.sh ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+      - name: Publish to GitHub Container Registry
+        id: publish
+        uses: bytecodealliance/wkg-github-action@v5
+        with:
+          file: target/wasm32-wasip1/release/${{ env.COMPONENT_NAME }}.wasm
+          oci-reference-without-tag: ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}
+          version: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+
+      - name: Sign the wasm component
+        run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME}}@${{ steps.publish.outputs.digest }}