diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e1f3d31..233a72e 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -39,16 +39,16 @@ jobs: # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.5.0 +# - name: Install cosign +# if: github.event_name != 'pull_request' +# uses: sigstore/cosign-installer@v3.5.0 # with: # cosign-release: 'v1.13.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@2ad185228a349d19414702819e06df9fa4314287 + # - name: Setup Docker buildx + # uses: docker/setup-buildx-action@2ad185228a349d19414702819e06df9fa4314287 # Login against a Docker registry except on PR # https://github.com/docker/login-action @@ -83,15 +83,9 @@ jobs: cache-to: type=gha,mode=max - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true