From 4bf707536137b704f40d91342fba693ffd246c14 Mon Sep 17 00:00:00 2001
From: Youcef Guichi <youcef@gimlet.io>
Date: Thu, 22 Feb 2024 11:54:13 +0100
Subject: [PATCH] Manifests signatures with cosign

---
 .github/workflows/publish.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a5cac1c..0559d4b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -80,3 +80,10 @@ jobs:
         --source=${{ github.repositoryUrl }} \
         --revision="${{ github.ref_name }}@sha1:${{ github.sha }}" \
         --annotations='org.opencontainers.image.description=Capacitor install manifests for Flux'
+    - name: Sign manifests
+      run: |
+        curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+        sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+        sudo chmod +x /usr/local/bin/cosign
+
+        cosign sign --key=secrets.COSIGNKEY oci://ghcr.io/gimlet-io/capacitor-manifests:${{ steps.version.outputs.version }}