From 0bb8b2b059c724dfa152348171c0c413cfc1a8d4 Mon Sep 17 00:00:00 2001
From: Deirdre Connolly <deirdre@zfnd.org>
Date: Wed, 24 Jun 2020 02:28:47 -0400
Subject: [PATCH] Sign container images for later binary authorization

---
 .github/workflows/cd.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 72dc2f41..59b85cf8 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -45,6 +45,17 @@ jobs:
           --machine-type n1-highcpu-32 \
           --timeout 3600s \
 
+    # Create an attestation on the new image with our existing attestor
+    - name: Create attestation
+      run: |
+        ARTIFACT_URL=$(gcloud container images describe "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \
+          --format="value(image_summary.fully_qualified_digest)");
+
+        gcloud alpha container binauthz attestations sign-and-create \
+          --artifact-url="${ARTIFACT_URL}" \
+          --attestor="projects/zealous-zebra/attestors/zebrad-attestor" \
+          --keyversion="projects/zealous-zebra/locations/global/keyRings/binary-authorization/cryptoKeys/zebrad-attestor/cryptoKeyVersions/1";
+
     # Create instance template from container image
     - name: Create instance template
       run: |