From 644aa297e235a4ba0c972f886cd5e28adbb11b38 Mon Sep 17 00:00:00 2001
From: Tulili <tulilirockz@outlook.com>
Date: Sat, 16 Mar 2024 11:23:04 -0300
Subject: [PATCH] fix: signing with digest instead of tag

---
 .github/workflows/build.yml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2531396..e7056ad 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -90,6 +90,7 @@ jobs:
           /usr/local/bin/bluebuild template -v ./config/recipes/recipe${{matrix.recipe}} -o /tmp/Containerfile 
 
       - name: Build
+        id: build_image
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -116,12 +117,13 @@ jobs:
       - name: Push To GHCR Image Registry
         run: docker push --disable-content-trust ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.3.0
+    
       - name: Sign container image
-        uses: EyeCantCU/cosign-action/sign@v0.2.2
-        if: github.event_name != 'pull_request'
-        with:
-          containers: ${{ steps.recipes_meta.outputs.IMAGE_NAME }}
-          registry: ${{ env.IMAGE_REGISTRY }}
-          registry-token: ${{ github.token }}
-          signing-secret: ${{ secrets.SIGNING_SECRET }}
-          tags: latest
+        shell: bash
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.recipes_meta.outputs.IMAGE_NAME }}@sha256:${{ steps.build_image.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ env.SIGNING_SECRET }}