diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 351543c5..71699320 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -39,10 +39,7 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - with: - cosign-release: 'v1.13.1' - + uses: sigstore/cosign-installer@v3.1.1 # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -68,9 +65,9 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - - name: Build and push Docker image + - name: Build and Push container images + uses: docker/build-push-action@v4.0.0 id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} @@ -88,7 +85,6 @@ jobs: - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.docker_meta.outputs.tags }} + run: cosign sign --yes "${TAGS}@${DIGEST}"