feat: add cosign with GitHub OIDC token

Changed cosign action to sign with GitHub OIDC token instead of tag. This requires setting up a separate action step for cosign that takes output of build-push step. Signed-off-by: Arthur Savage <[email protected]>
arthurus-rex · Jul 26, 2024 · 20cea0f · 20cea0f
1 parent ccb19cc
commit 20cea0f
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -20,7 +20,7 @@ jobs:
             cosign-release: 'v2.2.4'
         - name: check-cosign-install
           run: cosign version
-        - name: build-sign-push
+        - name: build-push
           run: |
             echo "Test message build-sign-push"
             cat > ./Dockerfile <<EOF
@@ -29,5 +29,7 @@ jobs:
             EOF
             docker build -t quay.io/rh-ee-asavage/gha-image-test:latest .
             docker push quay.io/rh-ee-asavage/gha-image-test:latest
-            cosign sign -y quay.io/rh-ee-asavage/gha-image-test:latest
             echo "Success build-sign-push"
+        - name: sign-image
+          run: |
+            cosign sign -y quay.io/rh-ee-asavage/gha-image-test:latest@${{ steps.build-push.outputs.digest }}