chore(ci): add Docker Hub as secondary container registry

Publish Docker images to both Docker Hub (docker.io/wikid82/charon) and GitHub Container Registry (ghcr.io/wikid82/charon) for maximum reach. Add Docker Hub login with secret existence check for graceful fallback Update docker/metadata-action to generate tags for both registries Add Cosign keyless signing for both GHCR and Docker Hub images Attach SBOM to Docker Hub via cosign attach sbom Add Docker Hub signature verification to supply-chain-verify workflow Update README with Docker Hub badges and dual registry examples Update getting-started.md with both registry options Supply chain security maintained: identical tags, signatures, and SBOMs on both registries. PR images remain GHCR-only.
2026-01-25 16:04:42 +00:00
parent 9a26fcaf88
commit ba900e20c5
7 changed files with 927 additions and 1767 deletions
--- a/.github/workflows/supply-chain-verify.yml
+++ b/.github/workflows/supply-chain-verify.yml
@@ -681,6 +681,17 @@ jobs:
            fi
          fi

+      - name: Verify Docker Hub Image Signature
+        if: steps.image-check.outputs.exists == 'true'
+        continue-on-error: true
+        run: |
+          echo "Verifying Docker Hub image signature..."
+          cosign verify docker.io/wikid82/charon:${{ steps.tag.outputs.tag }} \
+            --certificate-identity-regexp="https://github.com/Wikid82/Charon" \
+            --certificate-oidc-issuer="https://token.actions.githubusercontent.com" && \
+          echo "✅ Docker Hub signature verified" || \
+          echo "⚠️ Docker Hub signature verification failed (image may not exist or not signed)"
+
      - name: Verify SLSA Provenance
        env:
          IMAGE: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }}