From 36c4f96a3946847da3e343738cb4de83731ce8a0 Mon Sep 17 00:00:00 2001
From: Christoph Voigt <voigt.christoph@gmail.com>
Date: Thu, 28 Sep 2023 23:00:25 +0200
Subject: [PATCH] add signing artifacts

---
 .github/workflows/docker-build-push.yml | 41 ++++++++++++++++---------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
index 4be0a30..21a8367 100644
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@@ -27,15 +27,32 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      -
+      - # Set up QEMU
         name: Set up QEMU
         uses: docker/setup-qemu-action@v1
-      -
+      - # Setup Docker buildx
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
-      - 
-        name: Log in to the Container registry
+        uses: docker/setup-buildx-action@v2
+      - # Build the local image
+        name: Build Local Container
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          tags: "local/${{ inputs.image-name }}:${{ inputs.image-tag }}"
+          push: false
+          load: true
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - # Install cosign
+        name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.1
+        with:
+          cosign-release: v2.0.0
+      - # Login into registry
+        name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
@@ -53,24 +70,20 @@ jobs:
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=sha
       - 
         name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
-          context: .
           push: ${{ github.event_name != 'pull_request' }}
           platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           file: Dockerfile
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - 
-        name: Install Cosign for signing Spin binary
-        uses: sigstore/cosign-installer@v3.0.1
-        with:
-          cosign-release: v2.0.0
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+            ${{ steps.meta.outputs.tags }}
       - 
         name: Sign the image with GitHub OIDC token
         shell: bash
@@ -79,7 +92,7 @@ jobs:
             --yes \
             --output-certificate crt.pem \
             --output-signature kwasm-image.sig \
-            ${{ steps.meta.outputs.tags }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
       -
         name: prepare assets for upload
         if: runner.os != 'Windows'