cosign fix #1

Author: binarycodes

.github/workflows/ssh-key-signer-server-docker.yml

@@ -79,23 +79,26 @@ jobs:
             APP_NAME=${{ steps.extract_version.outputs.MAVEN_NAME }}
             APP_VERSION=${{ steps.extract_version.outputs.MAVEN_VERSION }}
 
+      # the following steps uses the identity token to provision an ephemeral certificate
+      # against the sigstore community Fulcio instance.`
+
       - name: install Cosign
         if: startsWith(github.ref, 'refs/tags/v')
         uses: sigstore/cosign-installer@v3.8.1
 
       - name: write cosign key to file
         if: startsWith(github.ref, 'refs/tags/v')
-        run: |
-          echo "${{ secrets.COSIGN_PRIVATE_KEY }}" >> cosign.key
+        run: 'echo "$KEY" > cosign.key'
+        shell: bash
+        env:
+          KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
 
       - name: sign the published docker image
         if: startsWith(github.ref, 'refs/tags/v')
         env:
-          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           TAGS: ${{ steps.meta.outputs.tags }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         run: |
           echo "${TAGS}" | while read tag; do
             cosign sign --key cosign.key $tag