From 73895606d7a61dd70dc01bd18176614f94ec7f9c Mon Sep 17 00:00:00 2001
From: Sivli Embir <sivli.embir@jupiterone.com>
Date: Sat, 13 Jul 2024 08:16:42 -0700
Subject: [PATCH 1/5] SRE-1913 - Sign Package Collector Image

---
 .github/workflows/sign_ghcr.yaml | 44 ++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/sign_ghcr.yaml

diff --git a/.github/workflows/sign_ghcr.yaml b/.github/workflows/sign_ghcr.yaml
new file mode 100644
index 0000000..1cd71d4
--- /dev/null
+++ b/.github/workflows/sign_ghcr.yaml
@@ -0,0 +1,44 @@
+name: Sign Package Collector Image
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        description: 'The name of the image.'
+        type: string
+        required: true
+      image-digest:
+        description: 'The digest of the image.'
+        type: string
+        required: true
+    secrets:
+      PACKAGE_GITHUB_TOKEN:
+        description: 'GitHub Token to authenticate and sign with'
+        required: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Log into registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.PACKAGE_GITHUB_TOKEN }}
+      # Sign the Docker image (Using OIDC Token for "keyless signing")
+      # https://github.com/sigstore/cosign-installer
+      - name: Sign the images with GH OIDC Token
+        run: |
+          cosign sign -d -y $IMAGE
+        env:
+          COSIGN_REPOSITORY: ghcr.io/${{ inputs.image-name }}-signatures
+          IMAGE: ghcr.io/${{ inputs.image-name }}@${{ inputs.image-digest }}

From de7196d7e741dc02b41a5289ca72b278305b3986 Mon Sep 17 00:00:00 2001
From: Sivli Embir <sivli.embir@jupiterone.com>
Date: Mon, 15 Jul 2024 08:04:14 -0700
Subject: [PATCH 2/5] SRE-1913 - Move from workflow to action

---
 .github/actions/sign_ghcr/action.yaml | 38 +++++++++++++++++++++++
 .github/workflows/sign_ghcr.yaml      | 44 ---------------------------
 2 files changed, 38 insertions(+), 44 deletions(-)
 create mode 100644 .github/actions/sign_ghcr/action.yaml
 delete mode 100644 .github/workflows/sign_ghcr.yaml

diff --git a/.github/actions/sign_ghcr/action.yaml b/.github/actions/sign_ghcr/action.yaml
new file mode 100644
index 0000000..4f2789c
--- /dev/null
+++ b/.github/actions/sign_ghcr/action.yaml
@@ -0,0 +1,38 @@
+name: Sign Package Collector Image
+description: |
+  This action is responsible for signing the Docker image of the Package Collector
+  and pushing the signature to the GitHub Container Registry (GHCR).
+
+inputs:
+  image-name:
+    description: 'The name of the image.'
+    required: true
+  image-digest:
+    description: 'The digest of the image.'
+    required: true
+  PACKAGE_GITHUB_TOKEN:
+    description: 'GitHub Token to authenticate and sign with'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+    - name: Log into registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.PACKAGE_GITHUB_TOKEN }}
+    # Sign the Docker image (Using OIDC Token for "keyless signing")
+    # https://github.com/sigstore/cosign-installer
+    - name: Sign the images with GH OIDC Token
+      shell: bash
+      run: |
+        cosign sign -d -y $IMAGE
+      env:
+        COSIGN_REPOSITORY: ghcr.io/${{ inputs.image-name }}-signatures
+        IMAGE: ghcr.io/${{ inputs.image-name }}@${{ inputs.image-digest }}
diff --git a/.github/workflows/sign_ghcr.yaml b/.github/workflows/sign_ghcr.yaml
deleted file mode 100644
index 1cd71d4..0000000
--- a/.github/workflows/sign_ghcr.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-name: Sign Package Collector Image
-
-on:
-  workflow_call:
-    inputs:
-      image-name:
-        description: 'The name of the image.'
-        type: string
-        required: true
-      image-digest:
-        description: 'The digest of the image.'
-        type: string
-        required: true
-    secrets:
-      PACKAGE_GITHUB_TOKEN:
-        description: 'GitHub Token to authenticate and sign with'
-        required: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3
-      - name: Log into registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.PACKAGE_GITHUB_TOKEN }}
-      # Sign the Docker image (Using OIDC Token for "keyless signing")
-      # https://github.com/sigstore/cosign-installer
-      - name: Sign the images with GH OIDC Token
-        run: |
-          cosign sign -d -y $IMAGE
-        env:
-          COSIGN_REPOSITORY: ghcr.io/${{ inputs.image-name }}-signatures
-          IMAGE: ghcr.io/${{ inputs.image-name }}@${{ inputs.image-digest }}

From 6ef8249949a201f32cc770dee623189bc2a21c7b Mon Sep 17 00:00:00 2001
From: Sivli Embir <sivli.embir@jupiterone.com>
Date: Mon, 15 Jul 2024 08:28:44 -0700
Subject: [PATCH 3/5] SRE-1913 - use input

---
 .github/actions/sign_ghcr/action.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/sign_ghcr/action.yaml b/.github/actions/sign_ghcr/action.yaml
index 4f2789c..b5c72e9 100644
--- a/.github/actions/sign_ghcr/action.yaml
+++ b/.github/actions/sign_ghcr/action.yaml
@@ -26,7 +26,7 @@ runs:
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
-        password: ${{ secrets.PACKAGE_GITHUB_TOKEN }}
+        password: ${{ inputs.PACKAGE_GITHUB_TOKEN }}
     # Sign the Docker image (Using OIDC Token for "keyless signing")
     # https://github.com/sigstore/cosign-installer
     - name: Sign the images with GH OIDC Token

From c8ed611aa815f4b0ad069c73668ca3cf8d86a144 Mon Sep 17 00:00:00 2001
From: Sivli Embir <sivli.embir@jupiterone.com>
Date: Mon, 15 Jul 2024 08:36:18 -0700
Subject: [PATCH 4/5] SRE-1913 - overwrite sig

---
 .github/actions/sign_ghcr/action.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/sign_ghcr/action.yaml b/.github/actions/sign_ghcr/action.yaml
index b5c72e9..20d4d16 100644
--- a/.github/actions/sign_ghcr/action.yaml
+++ b/.github/actions/sign_ghcr/action.yaml
@@ -32,7 +32,7 @@ runs:
     - name: Sign the images with GH OIDC Token
       shell: bash
       run: |
-        cosign sign -d -y $IMAGE
+        cosign sign -d -a tag=latest -y $IMAGE
       env:
         COSIGN_REPOSITORY: ghcr.io/${{ inputs.image-name }}-signatures
         IMAGE: ghcr.io/${{ inputs.image-name }}@${{ inputs.image-digest }}

From 5f0645b160f82f5ec040ef50426637c8b1063d51 Mon Sep 17 00:00:00 2001
From: Sivli Embir <sivli.embir@jupiterone.com>
Date: Mon, 15 Jul 2024 08:51:09 -0700
Subject: [PATCH 5/5] SRE-1913 - finalize action

---
 .github/actions/sign_ghcr/action.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/sign_ghcr/action.yaml b/.github/actions/sign_ghcr/action.yaml
index 20d4d16..f9e7455 100644
--- a/.github/actions/sign_ghcr/action.yaml
+++ b/.github/actions/sign_ghcr/action.yaml
@@ -32,7 +32,7 @@ runs:
     - name: Sign the images with GH OIDC Token
       shell: bash
       run: |
-        cosign sign -d -a tag=latest -y $IMAGE
+        cosign sign -y $IMAGE
       env:
         COSIGN_REPOSITORY: ghcr.io/${{ inputs.image-name }}-signatures
         IMAGE: ghcr.io/${{ inputs.image-name }}@${{ inputs.image-digest }}