test

.github/workflows/release.yml

@@ -229,7 +229,7 @@ jobs:
 
       - name: Push Image
         id: push-image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
@@ -249,10 +249,21 @@ jobs:
       - name: Sign container image
         if: ${{ inputs.push }}
         run: |
-          cosign sign --key cosign.key \
+          cosign sign --insecure-ignore-tlog=true --key cosign.key \
             -a "repo=${{ github.repository }}" \
             -a "workflow=${{ github.workflow }}" \
             -a "ref=${{ github.sha }}" \
             ${{ inputs.image }}@${{ steps.push-image.outputs.digest }}
         env:
           COSIGN_PASSWORD: ${{ secrets.CONTAINER_IMAGE_SIGNING_PASSWORD }}
+
+      - name: Sign container image attestations
+        if: ${{ inputs.push }}
+        run: |
+          cosign attest \
+            --key cosign.key \
+            --type spdx --predicate sbom.spdx.json \
+            ${{ inputs.image }}@${{ steps.push-image.outputs.digest }}
+
+        env:
+          COSIGN_PASSWORD: ${{ secrets.CONTAINER_IMAGE_SIGNING_PASSWORD }}