From 7cce4fd6d885965539e3c3164e61213b713b5d91 Mon Sep 17 00:00:00 2001
From: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Date: Mon, 28 Aug 2023 14:51:42 +0530
Subject: [PATCH] ci: update cosign signing

Bypass prompt confirmation and switch to signing digests instead of
tags.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
---
 .github/workflows/push-ld.yml |  3 ++-
 .github/workflows/release.yml | 20 ++++++++++++--------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/push-ld.yml b/.github/workflows/push-ld.yml
index 119ef70eb..2456bd4ce 100644
--- a/.github/workflows/push-ld.yml
+++ b/.github/workflows/push-ld.yml
@@ -43,6 +43,7 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish image
+        id: build-push
         uses: docker/build-push-action@v4
         with:
           push: true
@@ -58,4 +59,4 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a98cb371f..364d78297 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -59,6 +59,7 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish image
+        id: build-push
         uses: docker/build-push-action@v4
         with:
           sbom: true
@@ -76,7 +77,7 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
       - name: Publish Helm charts
         if: startsWith(github.ref, 'refs/tags/v')
         uses: stefanprodan/helm-gh-pages@v1.7.0
@@ -93,19 +94,22 @@ jobs:
           COSIGN_EXPERIMENTAL: 1
         run: |
           helm package charts/flagger
-          helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts
-          cosign sign ghcr.io/fluxcd/charts/flagger:${{ steps.prep.outputs.VERSION }}
+          digest = $(helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts | awk '/Digest:/ {print $2}' | tr -d '\n' | xargs)
+          cosign sign --yes ghcr.io/fluxcd/charts/flagger@${{ digest }}
           rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
       - name: Publish signed manifests to GHCR
         if: startsWith(github.ref, 'refs/tags/v')
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          flux push artifact oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
-          --path="./kustomize" \
-          --source="$(git config --get remote.origin.url)" \
-          --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
-          cosign sign ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }}
+          digest_url = $(flux push artifact \
+            oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
+            --output json | \
+            jq -r '. | .repository + "@" + .digest')
+          cosign sign --yes ${{ digest_url }}
       - uses: anchore/sbom-action/download-syft@v0
       - name: Create release and SBOM
         uses: goreleaser/goreleaser-action@v4