🌱 Signing scorecard images using cosign

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
ossf · May 31, 2022 · b1224a4 · b1224a4
1 parent a4e6166
commit b1224a4
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml
@@ -27,27 +27,27 @@ env:
   GO_VERSION: 1.17.7
 
 jobs:
-  env:
-    COSIGN_EXPERIMENTAL: "true"
   unit-test:
     name: publishimage
     runs-on: ubuntu-latest
+    env:
+      COSIGN_EXPERIMENTAL: "true"
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1
+       uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - name: Clone the code
-       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4
+       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b 
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+       uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: install ko
-       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
+       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675
      - name: publishimage
        uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
        with:
@@ -59,7 +59,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
+       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656
      - name: Sign image
-        run: |
-          cosign sign ghcr.io/${{github.repository_owner}}/stunning-tribble:${{ github.sha }}
+       run: |
+          cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}