fix(workflow): the real issue :)

nais · Apr 27, 2023 · b87eeca · b87eeca
1 parent 0f152f3
commit b87eeca
Showing 1 changed file with 6 additions and 11 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -120,11 +120,6 @@ jobs:
             COSIGN_VERSION=${{ env.COSIGN_VERSION }}
             GRADLE_VERSION=${{ env.GRADLE_VERSION }}
 
-      - name: Set digest
-        id: digest
-        run: |
-          echo "digest=${{ steps.docker_build.outputs.digest }}" >> $GITHUB_OUTPUT
-
       - name: Update major/minor version tag
         if: ${{ github.ref == 'refs/heads/main' }}
         run: "git tag -f ${{ env.VERSION }}\ngit push -f origin ${{ env.VERSION }} \n"
@@ -156,19 +151,19 @@ jobs:
       - name: Sign Docker image
         run: |
           echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-          cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
-          cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
+          cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
+          cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify and attach attestation
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
-          cosign verify --key cosign.pub ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
-          syft attest -o spdx-json ${{ env.IMAGE_NAME }}@{{ env.DIGEST }} > sbom-cli.json
-          cosign attach attestation --attestation sbom-cli.json ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
-          cosign verify-attestation --type spdxjson --key cosign.pub ${{ env.IMAGE_NAME }}@{{ env.DIGEST }} > cosignverify.json
+          cosign verify --key cosign.pub ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
+          syft attest -o spdx-json ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} > sbom-cli.json
+          cosign attach attestation --attestation sbom-cli.json ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
+          cosign verify-attestation --type spdxjson --key cosign.pub ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} > cosignverify.json
       - name: Upload provenance
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # ratchet:actions/upload-artifact@v3
         with: