Update push-docker only sigh fat and normal

Stirling-Tools · Dec 26, 2024 · 0f24fa1 · 0f24fa1
1 parent db1fa28
commit 0f24fa1
Showing 1 changed file with 3 additions and 27 deletions.
diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
@@ -41,6 +41,7 @@ jobs:
           DOCKER_ENABLE_SECURITY: false
 
       - name: Install cosign
+        if: github.ref == 'refs/heads/master'
         uses: sigstore/cosign-installer@v3.7.0
         with:
           cosign-release: 'v2.4.1'
@@ -105,31 +106,18 @@ jobs:
           sbom: true
 
       - name: Sign regular images
+        if: github.ref == 'refs/heads/master'
         env:
           DIGEST: ${{ steps.build-push-regular.outputs.digest }}
           TAGS: ${{ steps.meta.outputs.tags }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
-          # Always sign images regardless of branch
           echo "$TAGS" | tr ',' '\n' | while read -r tag; do
             cosign sign --yes \
               --key env://COSIGN_PRIVATE_KEY \
               "${tag}@${DIGEST}"
           done
-          
-          # For alpha builds specifically, we want to ensure they're marked as development builds
-          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
-            echo "Signing alpha build with development attestation"
-            echo "$TAGS" | tr ',' '\n' | while read -r tag; do
-              if [[ $tag == *":alpha" ]]; then
-                cosign attest --key env://COSIGN_PRIVATE_KEY \
-                  --predicate <(echo '{"type":"development"}') \
-                  --yes "${tag}@${DIGEST}"
-              fi
-            done
-          fi
-
 
       - name: Generate tags ultra-lite
         id: meta2
@@ -162,18 +150,6 @@ jobs:
           provenance: true
           sbom: true
 
-      - name: Sign ultra-lite images
-        if: github.ref != 'refs/heads/main'
-        env:
-          DIGEST: ${{ steps.build-push-lite.outputs.digest }}
-          TAGS: ${{ steps.meta2.outputs.tags }}
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-        run: |
-          echo "$TAGS" | tr ',' '\n' | while read -r tag; do
-            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
-          done
-
       - name: Generate tags fat
         id: meta3
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
@@ -207,7 +183,7 @@ jobs:
           sbom: true
 
       - name: Sign fat images
-        if: github.ref != 'refs/heads/main'
+        if: github.ref == 'refs/heads/master'
         env:
           DIGEST: ${{ steps.build-push-fat.outputs.digest }}
           TAGS: ${{ steps.meta3.outputs.tags }}