From 0f24fa104ed8160ee4687eb3f791ce85cd3573e3 Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Thu, 26 Dec 2024 13:32:22 +0000
Subject: [PATCH] Update push-docker only sigh fat and normal

---
 .github/workflows/push-docker.yml | 30 +++---------------------------
 1 file changed, 3 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
index 590e90cf..dea71c09 100644
--- a/.github/workflows/push-docker.yml
+++ b/.github/workflows/push-docker.yml
@@ -41,6 +41,7 @@ jobs:
           DOCKER_ENABLE_SECURITY: false
 
       - name: Install cosign
+        if: github.ref == 'refs/heads/master'
         uses: sigstore/cosign-installer@v3.7.0
         with:
           cosign-release: 'v2.4.1'
@@ -105,31 +106,18 @@ jobs:
           sbom: true
 
       - name: Sign regular images
+        if: github.ref == 'refs/heads/master'
         env:
           DIGEST: ${{ steps.build-push-regular.outputs.digest }}
           TAGS: ${{ steps.meta.outputs.tags }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
-          # Always sign images regardless of branch
           echo "$TAGS" | tr ',' '\n' | while read -r tag; do
             cosign sign --yes \
               --key env://COSIGN_PRIVATE_KEY \
               "${tag}@${DIGEST}"
           done
-          
-          # For alpha builds specifically, we want to ensure they're marked as development builds
-          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
-            echo "Signing alpha build with development attestation"
-            echo "$TAGS" | tr ',' '\n' | while read -r tag; do
-              if [[ $tag == *":alpha" ]]; then
-                cosign attest --key env://COSIGN_PRIVATE_KEY \
-                  --predicate <(echo '{"type":"development"}') \
-                  --yes "${tag}@${DIGEST}"
-              fi
-            done
-          fi
-
 
       - name: Generate tags ultra-lite
         id: meta2
@@ -162,18 +150,6 @@ jobs:
           provenance: true
           sbom: true
 
-      - name: Sign ultra-lite images
-        if: github.ref != 'refs/heads/main'
-        env:
-          DIGEST: ${{ steps.build-push-lite.outputs.digest }}
-          TAGS: ${{ steps.meta2.outputs.tags }}
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-        run: |
-          echo "$TAGS" | tr ',' '\n' | while read -r tag; do
-            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
-          done
-
       - name: Generate tags fat
         id: meta3
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
@@ -207,7 +183,7 @@ jobs:
           sbom: true
 
       - name: Sign fat images
-        if: github.ref != 'refs/heads/main'
+        if: github.ref == 'refs/heads/master'
         env:
           DIGEST: ${{ steps.build-push-fat.outputs.digest }}
           TAGS: ${{ steps.meta3.outputs.tags }}