From e9b792755da9e169a489629b899e6904730271dc Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Wed, 26 Oct 2022 23:31:02 -0700
Subject: [PATCH] [action] cosign over docker image digest

---
 .github/workflows/release.yml | 6 ++++++
 make/docker.mk                | 1 -
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 48bbf730..3ae179ca 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -98,4 +98,10 @@ jobs:
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Cosign
+        id: cosign
+        run: |
+          DIGEST=$(docker images --digests --format "{{.Digest}}" smallstep/step-ca | head -n 1 | tr -d '[:space:]')
+          cosign sign -r smallstep/step-ca@${DIGEST}
+        env:
           COSIGN_EXPERIMENTAL: 1
diff --git a/make/docker.mk b/make/docker.mk
index 0d56e663..746a4fab 100644
--- a/make/docker.mk
+++ b/make/docker.mk
@@ -54,7 +54,6 @@ define DOCKER_BUILDX
 	# $(1) -- Image Tag
 	# $(2) -- Push (empty is no push | --push will push to dockerhub)
 	docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
-	cosign sign -r $(DOCKER_IMAGE_NAME):$(1)
 
 endef