From 012d30a4b685844b3e4461be50b6ba9b77ec20e1 Mon Sep 17 00:00:00 2001
From: Marc Boorshtein <marc@tremolo.io>
Date: Fri, 31 May 2024 10:49:44 -0400
Subject: [PATCH] remove cosign on dockerhub build

---
 .github/workflows/dockerbuild.yml | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/dockerbuild.yml b/.github/workflows/dockerbuild.yml
index 7437f55..09bbe79 100755
--- a/.github/workflows/dockerbuild.yml
+++ b/.github/workflows/dockerbuild.yml
@@ -59,14 +59,9 @@ jobs:
       
       - name: sign images
         run: |-
-              cosign sign -y docker.io/tremolosecurity/activemq-docker:${{ env.TAG }}
               cosign sign -y ghcr.io/tremolosecurity/activemq-docker:${{ env.TAG }}
       
-      - uses: anchore/sbom-action@v0
-        with:
-          image: docker.io/tremolosecurity/activemq-docker:${{ env.TAG }}
-          format: spdx
-          output-file: /tmp/spdxd
+
 
       - uses: anchore/sbom-action@v0
         with:
@@ -76,14 +71,7 @@ jobs:
     
       - name: attach sbom to images
         run: |-
-              cosign attach sbom --sbom /tmp/spdxd docker.io/tremolosecurity/activemq-docker:${{ env.TAG }}
               cosign attach sbom --sbom /tmp/spdxg ghcr.io/tremolosecurity/activemq-docker:${{ env.TAG }}
-    
-              DH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' docker.io/tremolosecurity/activemq-docker:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-)
               GH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ghcr.io/tremolosecurity/activemq-docker:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-)
-    
-              echo "DH_SBOM_SHA: $DH_SBOM_SHA"
               echo "GH_SBOM_SHA: $GH_SBOM_SHA"
-
-              cosign sign -y docker.io/tremolosecurity/activemq-docker:sha256-$DH_SBOM_SHA.sbom
-              cosign sign -y ghcr.io/tremolosecurity/activemq-docker:sha256-$GH_SBOM_SHA.sbom
\ No newline at end of file
+              cosign sign -y ghcr.io/tremolosecurity/activemq-docker:sha256-$GH_SBOM_SHA.sbom