DefGuard · wojcik91 · Aug 11, 2025 · Aug 11, 2025 · Aug 11, 2025 · Aug 11, 2025
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -21,6 +21,7 @@ jobs:
       - self-hosted
       - Linux
       - ${{ matrix.runner }}
+
     strategy:
       matrix:
         cpu: [arm64, amd64]
@@ -31,23 +32,31 @@ jobs:
           - cpu: amd64
             runner: X64
             tag: amd64
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           buildkitd-config-inline: |
             [registry."docker.io"]
               mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v5
         with:
@@ -61,8 +70,18 @@ jobs:
 
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.9.2
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -71,12 +90,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -86,3 +107,13 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
             docker manifest push ${tag}
           done
+
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/proxy" -o text
diff --git a/.github/workflows/lint-web.yml b/.github/workflows/lint-web.yml
@@ -5,12 +5,14 @@ on:
     branches:
       - main
       - dev
+      - 'release/**'
     paths:
       - "web/**"
   pull_request:
     branches:
       - main
       - dev
+      - 'release/**'
     paths:
       - "web/**"
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -5,13 +5,15 @@ on:
     branches:
       - main
       - dev
+      - 'release/**'
     paths-ignore:
       - "*.md"
       - "LICENSE"
   pull_request:
     branches:
       - main
       - dev
+      - 'release/**'
     paths-ignore:
       - "*.md"
       - "LICENSE"