try to fix cosign command (#63)

mtougeron · Jul 23, 2022 · 69c6dfe · 69c6dfe
1 parent 77b8d99
commit 69c6dfe
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -85,10 +85,18 @@ jobs:
 
       # This will only write to the public Rekor transparency log when the Docker
       # repository is public to avoid leaking data. https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
+      - name: Sign the published Dockerhub image
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign ${{ steps.docker_meta.outputs.tags }}@${{ steps.docker_build.outputs.digest }}
+        run: cosign sign -a "repo=${{ github.repository }}" -r ${{ secrets.DOCKER_HUB_USERNAME }}/k8s-pvc-tagger@${{ steps.docker_build.outputs.digest }}
+
+      - name: Sign the published GitHub image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign -a "repo=${{ github.repository }}" -r ghcr.io/${{ github.repository_owner }}/k8s-pvc-tagger@${{ steps.docker_build.outputs.digest }}