From 8eaf66429630981d23dc1c0379c6e3cd04f64c65 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 20 Feb 2025 19:58:44 +0000
Subject: [PATCH 1/2] chore(deps): update sigstore/cosign-installer action to
 v3.8.1

---
 .github/workflows/docker-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index dcbc850..a6c1c9d 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -50,7 +50,7 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.1.0
+        uses: sigstore/cosign-installer@v3.8.1
         with:
           cosign-release: 'v2.1.0'
 

From bdc13edc55c93300ecc6a8546442e1ef4d46061f Mon Sep 17 00:00:00 2001
From: kaltepeter <kayla.altepeter@datasite.com>
Date: Thu, 27 Feb 2025 10:04:57 -0600
Subject: [PATCH 2/2] fix: cosign issues

---
 .github/workflows/docker-publish.yml | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index a6c1c9d..d6a4964 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -27,9 +27,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
 
     services:
       registry:
@@ -51,8 +49,9 @@ jobs:
       - name: Install cosign
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@v3.8.1
-        with:
-          cosign-release: 'v2.1.0'
+      - name: Check Cosign Version
+        if: github.event_name != 'pull_request'
+        run: cosign version
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
@@ -132,21 +131,17 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-    #   TODO: fix
-      - name: Sign the published Docker image
+      - name: Sign the published Docker image with OIDC token
         if: ${{ github.event_name != 'pull_request' }}
         env:
-          COSIGN_EXPERIMENTAL: "true"
           TAGS: ${{ steps.meta.outputs.tags }}
           DIGEST: ${{ steps.docker-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: cosign sign --yes "${TAGS}@${DIGEST}"
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
 
     #   - name: Rollback Release
     #     if: ${{ (cancelled() || failure()) && github.event_name == 'release' }}