Enable cosign and test multiple tags

febus982 · febus982 · commit df7b9501a8ce · 2025-03-06T16:47:57.000Z
diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml
@@ -229,6 +229,7 @@ jobs:
           # generate Docker tags based on the following events/attributes
           tags: |
             type=sha
+            type=sha,suffix=-test
 #            type=raw,value={{branch}}-latest
 #            type=raw,value={{branch}}-{{date 'YYYYMMDDHHmmss'}}
 
@@ -242,23 +243,23 @@ jobs:
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.IMAGE_NAME }}-${{ matrix.docker_target }}:${{ steps.meta.outputs.version }}
 
-#      #TODO: Implement signature using generated key: https://docs.sigstore.dev/signing/quickstart/#signing-with-a-generated-key
-#
-#      # Sign the resulting Docker image digest except on PRs.
-#      # This will only write to the public Rekor transparency log when the Docker
-#      # repository is public to avoid leaking data.  If you would like to publish
-#      # transparency data even for private images, pass --force to cosign below.
-#      # https://github.com/sigstore/cosign
-#      - name: Sign the published Docker image using GitHub OIDC Token
-#        env:
-#          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-#          TAGS: ${{ steps.meta.outputs.tags }}
-#          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-#        # This step uses the identity token to provision an ephemeral certificate
-#        # against the sigstore community Fulcio instance.
-#        run: |
-#          images=""
-#          for tag in ${TAGS}; do
-#            images+="${tag}@${DIGEST} "
-#          done
-#          cosign sign --yes ${images}
+      #TODO: Implement signature using generated key: https://docs.sigstore.dev/signing/quickstart/#signing-with-a-generated-key
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image using GitHub OIDC Token
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
