fix: pin cosign action for push to main

Signed-off-by: K.B.Dharun Krishna <[email protected]>
kbdharun · May 12, 2024 · a3f72ae · a3f72ae
1 parent 9de2b3e
commit a3f72ae
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -86,9 +86,9 @@ jobs:
 
     - uses: sigstore/[email protected]
     - name: Sign container image
-      if: github.repository == 'kbdharun/dev-image' && github.event_name != 'pull_request'
+      if: github.repository == 'kbdharun/dev-image' && github.ref == 'refs/heads/main'
       run: |
-        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.docker_meta.outputs.tags }}
+        cosign sign -y --key env://COSIGN_PRIVATE_KEY ghcr.io/kbdharun/dev-image:main
       env:
         COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}