move sign to release

elchananarb · elchananarb · commit c68052d9185a · 2024-09-26T09:01:20.000+03:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -37,6 +37,7 @@ jobs:
       APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
       COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
       COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
     steps:
       - name: Checkout
         uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
@@ -127,9 +128,11 @@ jobs:
           SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
           SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
           SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+
+      - name: Sign Docker Image with Cosign
+        if: inputs.dev == false
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY --passphrase env://COSIGN_PASSWORD ${{ inputs.docker_image }}:{{ inputs.tag }}
 
       - name: Verify Docker image signature
         if: inputs.dev == false
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -65,10 +65,6 @@ dockers:
       - "cxsdlc/ast-cli:{{ .Tag }}"
       - "checkmarx/ast-cli:latest"
       - "checkmarx/ast-cli:{{ .Tag }}"
-    hooks:
-      post:
-        - cmd: cosign sign --key env://COSIGN_PRIVATE_KEY --passphrase env://COSIGN_PASSWORD {{ .ImageName }}
-          output: true
 
 archives:
   - id: cx
