From a05c2f4bc0b254b89afa94969c4913540508f094 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= <batuhan.apaydin@trendyol.com>
Date: Sun, 7 May 2023 14:51:47 +0300
Subject: [PATCH] we should rely upon the digests not the tags, typos
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
---
 README.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index e88c642..f03ee6a 100644
--- a/README.md
+++ b/README.md
@@ -134,10 +134,8 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
 
-      - name: Sign the images with GitHub OIDC Token **not production ready**
-        run: cosign sign --yes ${TAGS}
-        env:
-          TAGS: ${{ steps.docker_meta.outputs.tags }}
+      - name: Sign the images with GitHub OIDC Token
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
 ```
 
 ### Optional Inputs
@@ -151,5 +149,5 @@ The following optional inputs:
 
 ## Security
 
-Should you discover any security issues, please refer to sigstore's [security
+Should you discover any security issues, please refer to Sigstore's [security
 process](https://github.com/sigstore/.github/blob/main/SECURITY.md)