From c170a2041f83c302137782128714d1137634e21e Mon Sep 17 00:00:00 2001
From: Thomas Lebeau <thomas.lebeau@datadoghq.com>
Date: Wed, 11 Mar 2026 14:33:54 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=20Sign=20CI=20Docker=20image=20wit?=
 =?UTF-8?q?h=20ddsign?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add DDSIGN_ID_TOKEN id_token for image integrity
- Capture docker buildx metadata to a temp file
- Sign the pushed image using ddsign
---
 .gitlab-ci.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 42e3651376..e3462dd89b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -122,8 +122,13 @@ ci-image:
   when: manual
   tags: ['arch:amd64']
   image: $BUILD_STABLE_REGISTRY/images/docker:27.3.1
+  id_tokens:
+    DDSIGN_ID_TOKEN:
+      aud: image-integrity
   script:
-    - docker buildx build --platform linux/amd64 --build-arg CHROME_PACKAGE_VERSION=$CHROME_PACKAGE_VERSION --tag $CI_IMAGE --push .
+    - METADATA_FILE=$(mktemp)
+    - docker buildx build --platform linux/amd64 --build-arg CHROME_PACKAGE_VERSION=$CHROME_PACKAGE_VERSION --tag $CI_IMAGE --push --metadata-file $METADATA_FILE .
+    - ddsign sign $CI_IMAGE --docker-metadata-file $METADATA_FILE
 
 ########################################################################################################################
 # Tests