diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 71699320..dc9e2d2d 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -78,13 +78,7 @@ jobs: # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - DIGEST: ${{ steps.build-and-push.outputs.digest }} - TAGS: ${{ steps.docker_meta.outputs.tags }} - run: cosign sign --yes "${TAGS}@${DIGEST}" + - name: Sign image + if: github.event_name != 'pull_request' + run: | + cosign sign -key cosign.key -a ${{ steps.build-and-push.outputs.digest }}