sign image

Signed-off-by: cpanato <[email protected]>

Author: cpanato

.github/workflows/release.yml

@@ -30,6 +30,7 @@ jobs:
 
       - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
       - uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
+      - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
 
       - name: Log into ghcr.io
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
@@ -64,6 +65,11 @@ jobs:
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
           echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
 
+      - name: sign image
+        run: |
+          DIGEST=$(crane digest ghcr.io/cpanato/github_actions_exporter:${{ steps.get_tag.outputs.TAG }})
+          cosign sign "ghcr.io/cpanato/github_actions_exporter@${DIGEST}"
+
   provenance:
     needs:
       - release

.goreleaser.yml

@@ -55,7 +55,7 @@ kos:
   - id: ko-image
     main: .
     base_image: cgr.dev/chainguard/static
-    repository: ghcr.io/cpanato/github_actions_exporter
+    repository: ghcr.io/cpanato
     platforms:
       - all
     tags:
@@ -66,10 +66,6 @@ kos:
     preserve_import_paths: false
     base_import_paths: true
 
-docker_signs:
-  - artifacts: all
-    args: ["sign", "${artifact}"]
-
 release:
   github:
     owner: cpanato