fix: signing with digest instead of tag

atomic-studio-org · Mar 16, 2024 · 644aa29 · 644aa29
1 parent abd6f5b
commit 644aa29
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -90,6 +90,7 @@ jobs:
           /usr/local/bin/bluebuild template -v ./config/recipes/recipe${{matrix.recipe}} -o /tmp/Containerfile 
 
       - name: Build
+        id: build_image
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -116,12 +117,13 @@ jobs:
       - name: Push To GHCR Image Registry
         run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}
 
+      - name: Install cosign
+        uses: sigstore/[email protected]
+
       - name: Sign container image
-        uses: EyeCantCU/cosign-action/[email protected]
-        if: github.event_name != 'pull_request'
-        with:
-          containers: ${{ steps.recipes_meta.outputs.IMAGE_NAME }}
-          registry: ${{ env.IMAGE_REGISTRY }}
-          registry-token: ${{ github.token }}
-          signing-secret: ${{ secrets.SIGNING_SECRET }}
-          tags: latest
+        shell: bash
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}@sha256:${{ steps.build_image.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ env.SIGNING_SECRET }}