chore: Update Docker image signing step in workflow

Terradue · Jun 3, 2024 · 66f8cda · 66f8cda
1 parent 29d1db9
commit 66f8cda
Showing 1 changed file with 7 additions and 12 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -35,12 +35,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/[email protected]
-
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
@@ -76,9 +70,10 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-
-      # Sign the resulting Docker image digest except on PRs.
-      - name: Sign image
-        if: github.event_name != 'pull_request'
-        run: |
-          cosign sign -key cosign.key -a ${{ steps.build-and-push.outputs.digest }}      
+      # Generate artifact attestation
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true