Fix Cosign image signing by using digest instead of tag to avoid sign…

…ing incorrect image versions Signed-off-by: Saurabhkr952 <saurabhkr952@gmail.com>
Saurabhkr952 · Aug 27, 2024 · 4326b0e · 4326b0e
1 parent 62e8f9d
commit 4326b0e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/.github/workflows/multi-stage-workflow.yml b/.github/workflows/multi-stage-workflow.yml
@@ -40,7 +40,7 @@ jobs:
       # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
       - name: Sign image with a key
         run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio:${{ github.sha }}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio@@sha256:${{ github.sha }}
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}