Merge pull request #30 from Fortiphyd/add-image-signing

fix image signing

Author: djformby

.github/workflows/docker-image.yml

@@ -16,6 +16,7 @@ on:
     types: [ published ]
 
 env:
+  DOCKERHUB_NAMESPACE: fortiphyd
   DOCKER_TAG: ${{ github.ref_type == 'tag' && github.ref_name || 'latest' }}
 
 jobs:
@@ -89,7 +90,7 @@ jobs:
 
       - uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: fortiphyd
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push amd64 images
@@ -101,7 +102,7 @@ jobs:
               echo "⚠️ Skipping ${SERVICE}: directory does not exist"
               continue
             fi
-            IMAGE="${{ secrets.DOCKERHUB_USERNAME }}/grfics-${SERVICE}"
+            IMAGE="${DOCKERHUB_NAMESPACE}/grfics-${SERVICE}"
             echo "🚀 Building ${IMAGE}:${DOCKER_TAG} (amd64)"
             docker buildx build \
               --platform linux/amd64 \
@@ -190,7 +191,7 @@ jobs:
           set -euo pipefail
           SERVICES=$(echo '${{ needs.detect-changes.outputs.services }}' | jq -r '.[]')
           for SERVICE in $SERVICES; do
-            REPO="${{ secrets.DOCKERHUB_USERNAME }}/grfics-${SERVICE}"
+            REPO="${DOCKERHUB_NAMESPACE}/grfics-${SERVICE}"
             IMAGE="${REPO}:${DOCKER_TAG}"
 
             echo "🔗 Creating multi-arch manifest for ${IMAGE}"
@@ -201,7 +202,7 @@ jobs:
             echo "✅ Multi-arch manifest published for ${IMAGE}"
 
             echo "🔎 Resolving digest for ${IMAGE}"
-            DIGEST="$(docker buildx imagetools inspect "${IMAGE}" --format '{{.Digest}}')"
+            DIGEST="$(docker buildx imagetools inspect "${IMAGE}" --format '{{json .Manifest}}' | jq -r '.digest')"
             echo "🔏 Signing ${IMAGE}@${DIGEST} (keyless, GitHub OIDC, recursive)"
             cosign sign --recursive "${REPO}@${DIGEST}"
             echo "✅ Signed ${IMAGE}@${DIGEST}"