From 04323448b0c3b9bead81e4973152c334f7e04ea9 Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Thu, 16 Dec 2021 09:59:56 -0800
Subject: [PATCH] Sign digests not tags.

The logic that was in here was signing the tags we publish, which has a race.  Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.
---
 .github/workflows/release.yaml | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ca601d49c2..6dcc04fa17 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -54,6 +54,7 @@ jobs:
         gcloud auth configure-docker
 
     - uses: docker/build-push-action@v2
+      id: build-and-push
       with:
         context: .
         file: ./deploy/Dockerfile
@@ -72,9 +73,7 @@ jobs:
     # Use cosign to sign the images
     - run: |
         export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:latest
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
 
   build-debug:
     env:
@@ -124,6 +123,7 @@ jobs:
         gcloud auth configure-docker
 
     - uses: docker/build-push-action@v2
+      id: build-and-push
       with:
         context: .
         file:  ./deploy/Dockerfile_debug
@@ -142,9 +142,7 @@ jobs:
       # Use cosign to sign the images
     - run: |
         export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:debug
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
 
   build-warmer:
     env:
@@ -192,7 +190,9 @@ jobs:
         # Set up docker to authenticate
         # via gcloud command-line tool.
         gcloud auth configure-docker
+
     - uses: docker/build-push-action@v2
+      id: build-and-push
       with:
         context: .
         file: ./deploy/Dockerfile_warmer
@@ -211,9 +211,7 @@ jobs:
       # Use cosign to sign the images
     - run: |
         export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:latest
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
 
   build-slim:
     env:
@@ -263,6 +261,7 @@ jobs:
         gcloud auth configure-docker
 
     - uses: docker/build-push-action@v2
+      id: build-and-push
       with:
         context: .
         file: ./deploy/Dockerfile_slim
@@ -281,7 +280,5 @@ jobs:
     # Use cosign to sign the images
     - run: |
         export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim
-        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:slim
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}