Verified steps

Add `id-token: write` and `contents: read` permissions to the GitHub Actions job
Install cosign in the workflow using `sigstore/cosign-installer` action
Build and push the container image to your registry, capturing the full digest reference
Run `cosign sign --yes <image>@<digest>` — cosign will exchange the OIDC token for a short-lived Fulcio certificate and publish the signature to Rekor automatically
Confirm the Rekor log entry UUID is printed in the action output and optionally save it as a build artifact

Known gotchas

Cosign 2.x requires the `--yes` flag to confirm the transparency log upload; omitting it will cause an interactive prompt that hangs in CI
The Fulcio certificate embeds the workflow URL and repository as SAN values; signature verification must use matching `--certificate-identity-regexp` and `--certificate-oidc-issuer` flags
Signing by tag rather than digest means the signature could be attached to a different image if the tag is later overwritten; always sign by digest

docs.sigstore.dev/cosign/signing · 6 steps · unrated

Sign a container image with Sigstore cosign keyless signing (Fulcio + Rekor) and verify it

security-general · 6 steps · unrated

Sign a container image keylessly with Cosign 2.x in a CI/CD pipeline

docs.sigstore.dev · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Sign a container image keylessly with cosign using a GitHub Actions OIDC token and record to Rekor

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes