diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index dcbc850..d6a4964 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -27,9 +27,7 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write + id-token: write # needed for signing the images with GitHub OIDC Token services: registry: @@ -50,9 +48,10 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.1.0 - with: - cosign-release: 'v2.1.0' + uses: sigstore/cosign-installer@v3.8.1 + - name: Check Cosign Version + if: github.event_name != 'pull_request' + run: cosign version # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -132,21 +131,17 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - # TODO: fix - - name: Sign the published Docker image + - name: Sign the published Docker image with OIDC token if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.docker-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: cosign sign --yes "${TAGS}@${DIGEST}" + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} # - name: Rollback Release # if: ${{ (cancelled() || failure()) && github.event_name == 'release' }}