From 1eddd0d8e62d44aa443c9198e1a9207212f3c3aa Mon Sep 17 00:00:00 2001
From: Justin Pflueger <justin.pflueger@fermyon.com>
Date: Thu, 7 Mar 2024 04:06:49 -0700
Subject: [PATCH] try to fix the devcontainer cosign

Signed-off-by: Justin Pflueger <justin.pflueger@fermyon.com>
---
 .github/workflows/docker.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 5dc1229..6b2a09a 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -23,12 +23,11 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
-        if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@v3.3.0
 
       - name: Set up QEMU
@@ -66,11 +65,16 @@ jobs:
           skipContainerUserIdUpdate: true
           platform: linux/amd64,linux/arm64
           runCmd: spin --version
+          push: always
 
       # Sign the resulting Docker image digest except on PRs.
       - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
         env:
+          IMAGE: ghcr.io/${{ github.repository }}
           TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
\ No newline at end of file
+        run: |
+          for tag in "${TAGS[@]}"; do
+            IMAGE_TAG="ghcr.io/${IMAGE}:${tag}"
+            DIGEST=$(docker image ls "$IMAGE_TAG" --digests --format='{{.Digest}}')
+            cosign sign --yes "${IMAGE_TAG}@${DIGEST}"
+          done
\ No newline at end of file