@@ -37,12 +37,12 @@ jobs:
3737
3838 # Install the cosign tool except on PR
3939 # https://github.com/sigstore/cosign-installer
40- - name : Install cosign
41- if : github.event_name != 'pull_request'
42- uses : sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
43- # uses: sigstore/[email protected] 44- with :
45- cosign-release : ' v2.2.4' # optional
40+ # - name: Install cosign
41+ # if: github.event_name != 'pull_request'
42+ # uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
43+ # # uses: sigstore/[email protected] 44+ # with:
45+ # cosign-release: 'v2.2.4' # optional
4646
4747
4848 # Workaround: https://github.com/docker/build-push-action/issues/461
@@ -85,11 +85,11 @@ jobs:
8585 # This will only write to the public Rekor transparency log when the Docker
8686 # repository is public to avoid leaking data. If you would like to publish
8787 # transparency data even for private images, pass --force to cosign below.
88- # https://github.com/sigstore/cosign
89- - name : Sign the published Docker image
90- if : ${{ github.event_name != 'pull_request' }}
91- env :
92- COSIGN_EXPERIMENTAL : " true"
93- # This step uses the identity token to provision an ephemeral certificate
94- # against the sigstore community Fulcio instance.
95- run : echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
88+ # # https://github.com/sigstore/cosign
89+ # - name: Sign the published Docker image
90+ # if: ${{ github.event_name != 'pull_request' }}
91+ # env:
92+ # COSIGN_EXPERIMENTAL: "true"
93+ # # This step uses the identity token to provision an ephemeral certificate
94+ # # against the sigstore community Fulcio instance.
95+ # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
0 commit comments