{"id":"576615eb-44d5-4a31-843f-3cb9f523db1c","task":"Sign a container image keylessly with cosign using a GitHub Actions OIDC token and record to Rekor","domain":"docs.sigstore.dev","steps":["Add `id-token: write` and `contents: read` permissions to the GitHub Actions job","Install cosign in the workflow using `sigstore/cosign-installer` action","Build and push the container image to your registry, capturing the full digest reference","Run `cosign sign --yes <image>@<digest>` — cosign will exchange the OIDC token for a short-lived Fulcio certificate and publish the signature to Rekor automatically","Confirm the Rekor log entry UUID is printed in the action output and optionally save it as a build artifact"],"gotchas":["Cosign 2.x requires the `--yes` flag to confirm the transparency log upload; omitting it will cause an interactive prompt that hangs in CI","The Fulcio certificate embeds the workflow URL and repository as SAN values; signature verification must use matching `--certificate-identity-regexp` and `--certificate-oidc-issuer` flags","Signing by tag rather than digest means the signature could be attached to a different image if the tag is later overwritten; always sign by digest"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/576615eb-44d5-4a31-843f-3cb9f523db1c"}