Push backup image to Docker Hub

Signed-off-by: Stefan Prodan <[email protected]>

Author: stefanprodan

.github/workflows/release.yaml

@@ -33,17 +33,24 @@ jobs:
       - uses: docker/setup-buildx-action@v1
       - uses: sigstore/cosign-installer@main
       - uses: anchore/sbom-action/download-syft@v0
-      - name: Docker login
+      - name: Docker login ghcr.io
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
+      - name: Docker login docker.io
+        uses: docker/login-action@v1
+        with:
+          username: fluxcdbot
+          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v3
         with:
-          images: ghcr.io/fluxcd/${{ env.CONTROLLER }}
+          images: |
+          fluxcd/${{ env.CONTROLLER }}
+          ghcr.io/fluxcd/${{ env.CONTROLLER }}
           tags: |
             type=raw,value={{tag}}
       - name: Docker push
@@ -56,12 +63,13 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Docker sign
+      - name: Cosign sign ghcr.io
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign ${{ steps.meta.outputs.tags }}
-      - uses: goreleaser/goreleaser-action@v2
+          cosign sign --recursive ghcr.io/fluxcd/${{ env.CONTROLLER }}:${GITHUB_REF/refs\/tags\//}
+      - name: GoReleaser publish signed SBOM
+        uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
           args: release --rm-dist