From 2586b3895d94a32e6ae07ef23fc2378ad92ec214 Mon Sep 17 00:00:00 2001 From: Aaron Cooper Date: Mon, 29 Jan 2024 18:36:49 +0000 Subject: [PATCH] Update docker-publish.yml --- .github/workflows/docker-publish.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index ae21c52..8c43975 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -102,12 +102,21 @@ jobs: # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - - name: Sign the published Docker image + - name: Sign the published Server image if: ${{ github.event_name != 'pull_request' }} env: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.meta1.outputs.tags }} + DIGEST: ${{ steps.build-and-push-server.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + - name: Sign the published UI image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta2.outputs.tags }} + DIGEST: ${{ steps.build-and-push-ui.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}