From a5e6288ca2536e49aedfc98e9bdb85d5f5283573 Mon Sep 17 00:00:00 2001
From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Date: Sat, 28 May 2022 18:59:48 -0500
Subject: [PATCH] :seedling: Signing scorecard images using cosign

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 .github/workflows/publishimage.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml
index 3bcd3ffcb404..f201c517af39 100644
--- a/.github/workflows/publishimage.yml
+++ b/.github/workflows/publishimage.yml
@@ -20,6 +20,9 @@ permissions:
   packages: write
 
 on:
+  pull_request:
+    branches:
+      - main
   push:
     branches:
       - main
@@ -27,11 +30,11 @@ env:
   GO_VERSION: 1.17.7
 
 jobs:
-  env:
-    COSIGN_EXPERIMENTAL: "true"
   unit-test:
     name: publishimage
     runs-on: ubuntu-latest
+    env:
+      COSIGN_EXPERIMENTAL: "true"
     steps:
      - name: Harden Runner
        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1
@@ -59,7 +62,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
+       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656
      - name: Sign image
-        run: |
-          cosign sign ghcr.io/${{github.repository_owner}}/stunning-tribble:${{ github.sha }}
+       run: |
+          cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}