From 59db3b7fb20c9e7c69e697d1f1be293bd6e69bac Mon Sep 17 00:00:00 2001
From: James Reeve <James.Reeve@ibm.com>
Date: Fri, 22 Sep 2023 16:31:15 -0400
Subject: [PATCH] test

---
 .github/workflows/release.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 137ff79..fbe82ee 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -229,7 +229,7 @@ jobs:
 
       - name: Push Image
         id: push-image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
@@ -249,10 +249,21 @@ jobs:
       - name: Sign container image
         if: ${{ inputs.push }}
         run: |
-          cosign sign --key cosign.key \
+          cosign sign --insecure-ignore-tlog=true --key cosign.key \
             -a "repo=${{ github.repository }}" \
             -a "workflow=${{ github.workflow }}" \
             -a "ref=${{ github.sha }}" \
             ${{ inputs.image }}@${{ steps.push-image.outputs.digest }}
         env:
           COSIGN_PASSWORD: ${{ secrets.CONTAINER_IMAGE_SIGNING_PASSWORD }}
+
+      - name: Sign container image attestations
+        if: ${{ inputs.push }}
+        run: |
+          cosign attest \
+            --key cosign.key \
+            --type spdx --predicate sbom.spdx.json \
+            ${{ inputs.image }}@${{ steps.push-image.outputs.digest }}
+
+        env:
+          COSIGN_PASSWORD: ${{ secrets.CONTAINER_IMAGE_SIGNING_PASSWORD }}