diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 203725a..d894399 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -41,9 +41,6 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write steps: - name: Checkout repository @@ -159,6 +156,12 @@ jobs: runs-on: ubuntu-latest needs: [ build ] if: github.event_name != 'pull_request' + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Download digests @@ -215,13 +218,11 @@ jobs: # https://github.com/sigstore/cosign - name: Sign the published Docker image working-directory: /tmp/digests - env: - RAW_TAGS: ${{ join(steps.meta.outputs.tags, ' ') }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: | TAGS="" - for RAW_TAG in ${RAW_TAGS}; do + for RAW_TAG in ${{ join(steps.meta.outputs.tags, ' ') }}; do TAGS="${TAGS}$(printf "${RAW_TAG}@sha256:%s " *)" done for TAG in ${TAGS}; do @@ -230,9 +231,7 @@ jobs: done - name: Inspect image - env: - RAW_TAGS: ${{ join(steps.meta.outputs.tags, ' ') }} run: | - for RAW_TAG in ${RAW_TAGS}; do + for RAW_TAG in ${{ join(steps.meta.outputs.tags, ' ') }}; do docker buildx imagetools inspect ${RAW_TAG} done