Don't publish .sig files.

2025-11-07 09:14:19 -08:00
parent df3ca02e8b
commit d2f512cae7
2 changed files with 9 additions and 70 deletions
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -50,11 +50,9 @@ jobs:
        run: |
          INPUT="${{ github.event.inputs.version }}"
          if [[ -n "$INPUT" ]]; then
-            # Strip leading v if present
            VERSION="${INPUT#v}"
            MAJOR=$(echo "$VERSION" | cut -d. -f1)
            MINOR=$(echo "$VERSION" | cut -d. -f2)
-            # Include latest explicitly
            echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" >> $GITHUB_ENV
          else
            echo "version_tags=" >> $GITHUB_ENV
@@ -70,15 +68,10 @@ jobs:
          flavor: |
            latest=auto
          tags: |
-            # From real Git tags (v1.2.3)
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
-
-            # Manual input tags
            type=raw,value=${{ env.version_tags }},enable=${{ env.version_tags != '' }}
-
-            # Fallbacks
            type=ref,event=branch
            type=sha

@@ -93,9 +86,13 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
+          provenance: false # disable automatic attestations
+
+      # Generate a local provenance attestation instead of uploading signatures
+      - name: Generate provenance attestation
+        run: |
+          cosign attest --yes \
+            --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \
+            --type slsaprovenance \
+            ${{ steps.meta.outputs.tags }}

-      - name: Sign the published Docker image
-        env:
-          TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"