updates cosign

.github/workflows/main.yml

@@ -2,9 +2,9 @@ name: Docker PostGIS CI
 
 on:
   push:
-    branches: [ "master" ]
+    branches: ["master"]
   pull_request:
-    branches: [ "master" ]
+    branches: ["master"]
 
 defaults:
   run:
@@ -15,12 +15,11 @@ permissions:
   packages: write
 
 jobs:
-
   make-docker-images:
     strategy:
       matrix:
         postgres: [13, 14]
-        postgis: ['3.4']
+        postgis: ["3.4"]
         variant: [alpine]
 
     name: Build docker image for ${{ matrix.postgres }}-${{ matrix.postgis }} variant ${{ matrix.variant }}
@@ -35,55 +34,60 @@ jobs:
       DOCKERFILE_LOCATION: ./${{ format('{0}-{1}', matrix.postgres, matrix.postgis)}}/${{ matrix.variant }}
 
     steps:
-    - name: Checkout source
-      uses: actions/checkout@v4
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 #v3.4.0
+        with:
+          cosign-release: "v2.2.3"
 
-    # Install the cosign tool except on PR
-    # https://github.com/sigstore/cosign-installer
-    - name: Install cosign
-      if: github.event_name != 'pull_request'
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 #v3.4.0
-      with:
-        cosign-release: 'v2.2.3'
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-    # Login against a Docker registry except on PR
-    # https://github.com/docker/login-action
-    - name: Log into registry ${{ env.REGISTRY }}
-      if: github.event_name != 'pull_request'
-      uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
-      with:
-        registry: ${{ env.REGISTRY }}
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Convert $IMAGE_TAG to lowercase
+        id: tag-to-lowercase
+        run: |
+          echo Converting ${{ env.IMAGE_TAG }} to lowercase...
+          IMAGE_TAG_LOWERCASE=$(echo "${{ env.IMAGE_TAG }}" | tr '[:upper:]' '[:lower:]')
+          echo "IMAGE_TAG in lowercase is $IMAGE_TAG_LOWERCASE"
+          echo "IMAGE_TAG_LOWERCASE=$IMAGE_TAG_LOWERCASE" >> $GITHUB_OUTPUT
 
-    - name: Convert $IMAGE_TAG to lowercase
-      id: tag-to-lowercase
-      run: |
-        echo Converting ${{ env.IMAGE_TAG }} to lowercase...
-        IMAGE_TAG_LOWERCASE=$(echo "${{ env.IMAGE_TAG }}" | tr '[:upper:]' '[:lower:]')
-        echo "IMAGE_TAG in lowercase is $IMAGE_TAG_LOWERCASE"
-        echo "IMAGE_TAG_LOWERCASE=$IMAGE_TAG_LOWERCASE" >> $GITHUB_OUTPUT
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image for ${{ env.VERSION }} ${{ env.VARIANT }}
+        id: build-and-push
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        with:
+          context: ${{ env.DOCKERFILE_LOCATION }}
+          file: ${{ env.DOCKERFILE_LOCATION }}/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.tag-to-lowercase.outputs.IMAGE_TAG_LOWERCASE }}
 
-    # Build and push Docker image with Buildx (don't push on PR)
-    # https://github.com/docker/build-push-action
-    - name: Build and push Docker image for ${{ env.VERSION }} ${{ env.VARIANT }}
-      id: build-and-push
-      uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
-      with:
-        context: ${{ env.DOCKERFILE_LOCATION }}
-        file: ${{ env.DOCKERFILE_LOCATION }}/Dockerfile
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ steps.tag-to-lowercase.outputs.IMAGE_TAG_LOWERCASE }}
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-    - name: Sign the published Docker image
-      if: ${{ github.event_name != 'pull_request' }}
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-      # This step uses the identity token to provision an ephemeral certificate
-      # against the sigstore community Fulcio instance.
-      run: echo "${{ steps.tag-to-lowercase.outputs.IMAGE_TAG_LOWERCASE }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+      - name: Get ID Token
+        id: id-token
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const idToken = await core.getIDToken('sigstore')
+            core.setOutput('id-token', idToken)
+        # Sign the resulting Docker image digest except on PRs.
+        # This will only write to the public Rekor transparency log when the Docker
+        # repository is public to avoid leaking data.  If you would like to publish
+        # transparency data even for private images, pass --force to cosign below.
+        # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{ steps.tag-to-lowercase.outputs.IMAGE_TAG_LOWERCASE }}" | xargs -I {} cosign sign --yes --identity-token "${{ steps.id-token.outputs.id-tone}}" {}@${{ steps.build-and-push.outputs.digest }}