File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -385,14 +385,16 @@ jobs:
385385
386386 # Push to main and release: sign the image with Cosign (keyless, Sigstore).
387387 # PR images are ephemeral and not deployed, so signing them is skipped.
388+ # Sign by digest (not tag) to guarantee we sign exactly what was pushed.
389+ - name : Install Cosign
390+ if : github.event_name != 'pull_request'
391+ uses : sigstore/cosign-installer@v3
392+
388393 - name : Sign container image with Cosign
389394 if : github.event_name != 'pull_request'
390- uses : firestoned/github-actions/security/cosign-sign@v1.3.6
391- with :
392- image-digest : ${{ steps.docker_build.outputs.digest }}
393- image-tags : ${{ matrix.variant.image-tag }}
394- registry : ghcr.io
395- repository : ${{ matrix.variant.image-repository }}
395+ run : |
396+ cosign sign --yes \
397+ ghcr.io/${{ matrix.variant.image-repository }}@${{ steps.docker_build.outputs.digest }}
396398
397399 # Release only: generate a CycloneDX SBOM for the published image.
398400 - name : Generate Docker SBOM for ${{ matrix.variant.name }}
@@ -402,6 +404,7 @@ jobs:
402404 image : ghcr.io/${{ matrix.variant.image-repository }}:${{ matrix.variant.image-tag }}
403405 format : cyclonedx-json
404406 output-file : docker-sbom-${{ matrix.variant.name }}.json
407+ upload-release-assets : false
405408
406409 - name : Upload Docker SBOM as artifact
407410 if : github.event_name == 'release'
You can’t perform that action at this time.
0 commit comments