From 419a418e1b3ddd2dd001104d91c15c49c5ed0b95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 20:53:14 -0700
Subject: [PATCH 1/6] feat: add cosign signing and SBOM to docker publish
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sign images with cosign using GitHub OIDC keyless signing.
Generate SBOM via BuildKit's built-in SBOM generator.

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/docker-publish.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 52bb86cc..ae33b690 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -8,6 +8,7 @@ on:
 permissions:
   contents: read
   packages: write
+  id-token: write
 
 jobs:
   publish:
@@ -43,9 +44,19 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
+        id: build
         uses: docker/build-push-action@v7
         with:
           context: .
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/${{ github.repository }}:latest
+          sbom: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign image with cosign
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+        run: cosign sign --yes ghcr.io/${{ github.repository }}@${DIGEST}

From 01cf74ea10b8387153db55a108999c1ea5e910cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 20:55:28 -0700
Subject: [PATCH 2/6] docs: add cosign verification and SBOM to install docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Document image signing, signature verification, and SBOM
download. Link to the GHCR package page.

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 docs/docs/sidebar/intro.md | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/docs/docs/sidebar/intro.md b/docs/docs/sidebar/intro.md
index 766454ef..534271d1 100644
--- a/docs/docs/sidebar/intro.md
+++ b/docs/docs/sidebar/intro.md
@@ -25,14 +25,29 @@ Or download a prebuilt binary from the [releases][] page.
 
 ### Docker
 
-A distroless image is published to GitHub Container Registry on every commit to
-main:
+A multi-arch distroless image is published to
+[GitHub Container Registry][ghcr] on every commit to main. Images are signed
+with [cosign][] (keyless, via GitHub OIDC) and include an [SBOM][] attestation.
 
 ```bash
 docker pull ghcr.io/osapi-io/osapi:latest
 docker run ghcr.io/osapi-io/osapi:latest --help
 ```
 
+Verify the image signature:
+
+```bash
+cosign verify ghcr.io/osapi-io/osapi:latest \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp github.com/osapi-io/osapi
+```
+
+Download the SBOM:
+
+```bash
+cosign download sbom ghcr.io/osapi-io/osapi:latest
+```
+
 ## Quickstart
 
 Install OSAPI and start all three components in a single process:
@@ -96,4 +111,7 @@ osapi client health
 [Cockpit]: https://cockpit-project.org/
 [webmin]: https://webmin.com/
 [releases]: https://github.com/retr0h/osapi/releases
+[ghcr]: https://github.com/osapi-io/osapi/pkgs/container/osapi
+[cosign]: https://github.com/sigstore/cosign
+[SBOM]: https://en.wikipedia.org/wiki/Software_supply_chain
 <!-- prettier-ignore-end -->

From 39df30863befe12bcd2dee886bc509f0c359099c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 20:56:36 -0700
Subject: [PATCH 3/6] style: fix line wrapping in Docker install docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 docs/docs/sidebar/intro.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/docs/sidebar/intro.md b/docs/docs/sidebar/intro.md
index 534271d1..9c0607e8 100644
--- a/docs/docs/sidebar/intro.md
+++ b/docs/docs/sidebar/intro.md
@@ -25,9 +25,9 @@ Or download a prebuilt binary from the [releases][] page.
 
 ### Docker
 
-A multi-arch distroless image is published to
-[GitHub Container Registry][ghcr] on every commit to main. Images are signed
-with [cosign][] (keyless, via GitHub OIDC) and include an [SBOM][] attestation.
+A multi-arch distroless image is published to [GitHub Container Registry][ghcr]
+on every commit to main. Images are signed with [cosign][] (keyless, via GitHub
+OIDC) and include an [SBOM][] attestation.
 
 ```bash
 docker pull ghcr.io/osapi-io/osapi:latest

From 609cce64d0afd55d0fedae7e41c4f03f0e2260f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 20:58:28 -0700
Subject: [PATCH 4/6] docs: add Docker/cosign/SBOM badges and fix org
 references
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add badges for GHCR container image, cosign signing, and SBOM.
Fix all badge URLs from retr0h/osapi to osapi-io/osapi.

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 README.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 4aa2d0bb..c6c631f7 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,16 @@
-[![release](https://img.shields.io/github/release/retr0h/osapi.svg?style=for-the-badge)](https://github.com/retr0h/osapi/releases/latest)
-[![codecov](https://img.shields.io/codecov/c/github/retr0h/osapi?token=NF0T86B1EP&style=for-the-badge)](https://codecov.io/gh/retr0h/osapi)
+[![release](https://img.shields.io/github/release/osapi-io/osapi.svg?style=for-the-badge)](https://github.com/osapi-io/osapi/releases/latest)
+[![codecov](https://img.shields.io/codecov/c/github/osapi-io/osapi?token=NF0T86B1EP&style=for-the-badge)](https://codecov.io/gh/osapi-io/osapi)
 [![go report card](https://goreportcard.com/badge/github.com/retr0h/osapi?style=for-the-badge)](https://goreportcard.com/report/github.com/retr0h/osapi)
 [![license](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge)](LICENSE)
-[![build](https://img.shields.io/github/actions/workflow/status/retr0h/osapi/go.yml?style=for-the-badge)](https://github.com/retr0h/osapi/actions/workflows/go.yml)
+[![build](https://img.shields.io/github/actions/workflow/status/osapi-io/osapi/go.yml?style=for-the-badge)](https://github.com/osapi-io/osapi/actions/workflows/go.yml)
+[![docker](https://img.shields.io/badge/ghcr.io-osapi-blue?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
+[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://github.com/sigstore/cosign)
+[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
 [![powered by](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=for-the-badge)](https://github.com/goreleaser)
 [![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge)](https://conventionalcommits.org)
 ![openapi initiative](https://img.shields.io/badge/openapiinitiative-%23000000.svg?style=for-the-badge&logo=openapiinitiative&logoColor=white)
 ![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)
-![gitHub commit activity](https://img.shields.io/github/commit-activity/m/retr0h/osapi?style=for-the-badge)
+![gitHub commit activity](https://img.shields.io/github/commit-activity/m/osapi-io/osapi?style=for-the-badge)
 
 # OS API
 

From 2988e7f03d5cd0f3e6f750a1c22154423e4b7e03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 20:59:25 -0700
Subject: [PATCH 5/6] fix: link SBOM badge to install docs with download
 instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c6c631f7..6d5b38c8 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 [![build](https://img.shields.io/github/actions/workflow/status/osapi-io/osapi/go.yml?style=for-the-badge)](https://github.com/osapi-io/osapi/actions/workflows/go.yml)
 [![docker](https://img.shields.io/badge/ghcr.io-osapi-blue?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
 [![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://github.com/sigstore/cosign)
-[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
+[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://osapi-io.github.io/osapi/#docker)
 [![powered by](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=for-the-badge)](https://github.com/goreleaser)
 [![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge)](https://conventionalcommits.org)
 ![openapi initiative](https://img.shields.io/badge/openapiinitiative-%23000000.svg?style=for-the-badge&logo=openapiinitiative&logoColor=white)

From 9d39ebd9d23a678f808917e580dfd557a0fcefaf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 21:00:42 -0700
Subject: [PATCH 6/6] fix: link cosign badge to install docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6d5b38c8..de188883 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 [![license](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge)](LICENSE)
 [![build](https://img.shields.io/github/actions/workflow/status/osapi-io/osapi/go.yml?style=for-the-badge)](https://github.com/osapi-io/osapi/actions/workflows/go.yml)
 [![docker](https://img.shields.io/badge/ghcr.io-osapi-blue?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
-[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://github.com/sigstore/cosign)
+[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://osapi-io.github.io/osapi/#docker)
 [![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://osapi-io.github.io/osapi/#docker)
 [![powered by](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=for-the-badge)](https://github.com/goreleaser)
 [![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge)](https://conventionalcommits.org)