Fix Cosign image signing by using digest instead of tag to avoid sign…

…ing incorrect image versions Signed-off-by: Saurabhkr952 <[email protected]>
Saurabhkr952 · Aug 27, 2024 · b6d855a · b6d855a
1 parent 56b99ce
commit b6d855a
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/.github/workflows/multi-stage-workflow.yml b/.github/workflows/multi-stage-workflow.yml
@@ -38,10 +38,16 @@ jobs:
           platforms: linux/amd64,linux/arm64
 
       # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+      # temp cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio@sha256:${{ github.sha }}
       - name: Sign image with a key
         run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio@sha256:${{ github.sha }}
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
         env:
+          TAGS: ${{ github.sha }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}