[action] cosign over docker image digest

2022-10-26 23:31:02 -07:00 · 2022-10-26 23:31:02 -07:00 · e9b792755d
commit e9b792755d
parent c43d59a69a
2 changed files with 6 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -98,4 +98,10 @@ jobs:
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Cosign
+        id: cosign
+        run: |
+          DIGEST=$(docker images --digests --format "{{.Digest}}" smallstep/step-ca | head -n 1 | tr -d '[:space:]')
+          cosign sign -r smallstep/step-ca@${DIGEST}
+        env:
          COSIGN_EXPERIMENTAL: 1
--- a/make/docker.mk
+++ b/make/docker.mk
@ -54,7 +54,6 @@ define DOCKER_BUILDX
 	# $(1) -- Image Tag
 	# $(2) -- Push (empty is no push | --push will push to dockerhub)
 	docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
-	cosign sign -r $(DOCKER_IMAGE_NAME):$(1)

 endef