From 93dcedd5164a6b07b3c0d4742d33ac9a1f1c262c Mon Sep 17 00:00:00 2001
From: Will Norris <will@tailscale.com>
Date: Tue, 6 Dec 2022 08:58:50 -0800
Subject: [PATCH] docker: go back to signing digests

apparently cosign doesn't like signing tags :)

WARNING: Image reference ghcr.io/willnorris/imageproxy:main uses a tag,
not a digest, to identify the image to sign.

This can lead you to sign a different image than the intended one.
Please use a digest (example.com/ubuntu@sha256:abc123...) rather than
tag (example.com/ubuntu:latest) for the input to cosign. The ability to
refer to images by tag will be removed in a future release.
---
 .github/workflows/docker.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 255d26c..26681d8 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -58,6 +58,5 @@ jobs:
     - name: Sign the published Docker image
       if: github.event_name == 'push'
       env:
-        TAGS: ${{ steps.meta.outputs.tags }}
         COSIGN_EXPERIMENTAL: "true"
-      run: cosign sign ${TAGS}
+      run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}