diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml index 590e90cf..dea71c09 100644 --- a/.github/workflows/push-docker.yml +++ b/.github/workflows/push-docker.yml @@ -41,6 +41,7 @@ jobs: DOCKER_ENABLE_SECURITY: false - name: Install cosign + if: github.ref == 'refs/heads/master' uses: sigstore/cosign-installer@v3.7.0 with: cosign-release: 'v2.4.1' @@ -105,31 +106,18 @@ jobs: sbom: true - name: Sign regular images + if: github.ref == 'refs/heads/master' env: DIGEST: ${{ steps.build-push-regular.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | - # Always sign images regardless of branch echo "$TAGS" | tr ',' '\n' | while read -r tag; do cosign sign --yes \ --key env://COSIGN_PRIVATE_KEY \ "${tag}@${DIGEST}" done - - # For alpha builds specifically, we want to ensure they're marked as development builds - if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then - echo "Signing alpha build with development attestation" - echo "$TAGS" | tr ',' '\n' | while read -r tag; do - if [[ $tag == *":alpha" ]]; then - cosign attest --key env://COSIGN_PRIVATE_KEY \ - --predicate <(echo '{"type":"development"}') \ - --yes "${tag}@${DIGEST}" - fi - done - fi - - name: Generate tags ultra-lite id: meta2 @@ -162,18 +150,6 @@ jobs: provenance: true sbom: true - - name: Sign ultra-lite images - if: github.ref != 'refs/heads/main' - env: - DIGEST: ${{ steps.build-push-lite.outputs.digest }} - TAGS: ${{ steps.meta2.outputs.tags }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - run: | - echo "$TAGS" | tr ',' '\n' | while read -r tag; do - cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}" - done - - name: Generate tags fat id: meta3 uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 @@ -207,7 +183,7 @@ jobs: sbom: true - name: Sign fat images - if: github.ref != 'refs/heads/main' + if: github.ref == 'refs/heads/master' env: DIGEST: ${{ steps.build-push-fat.outputs.digest }} TAGS: ${{ steps.meta3.outputs.tags }}