test release

.github/workflows/release.yml

@@ -68,22 +68,22 @@ jobs:
       - name: Install Cosign
         uses: sigstore/[email protected]
 
-      - name: Sign Docker Image with Cosign
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
-        run: |
-          cosign sign -y \
-            --key env://COSIGN_PRIVATE_KEY \
-            "${IMAGE_REFERENCE}"
-
-      - name: Verify Cosign Signature
-        env:
-          IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
-        run: |
-          cosign verify \
-            --key ci/pub.keys/cosign.pub \
-            "${IMAGE_REFERENCE}"
+      # - name: Sign Docker Image with Cosign
+      #   env:
+      #     COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      #     IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+      #   run: |
+      #     cosign sign -y \
+      #       --key env://COSIGN_PRIVATE_KEY \
+      #       "${IMAGE_REFERENCE}"
+
+      # - name: Verify Cosign Signature
+      #   env:
+      #     IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+      #   run: |
+      #     cosign verify \
+      #       --key ci/pub.keys/cosign.pub \
+      #       "${IMAGE_REFERENCE}"
 
       - name: Install Trivy
         run: |
@@ -122,15 +122,42 @@ jobs:
           name: sbom
           path: sbom.json
 
-      - name: Sign SBOM with Cosign
+      # - name: Sign SBOM with Cosign
+      #   env:
+      #     COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      #     IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+      #   run: |
+      #     cosign attest -y \
+      #       --key env://COSIGN_PRIVATE_KEY \
+      #       --predicate sbom.json \
+      #       --type https://spdx.dev/spdx-specification-2-2-pdf \
+      #       "${IMAGE_REFERENCE}"
+
+      - name: Generate Provenance
+        run: |
+          echo '{
+            "buildType": "https://mobyproject.org/buildkit@v1",
+            "builder": {
+              "id": "https://github.com/usabilitydynamics/udx-worker/actions/runs/${{ github.run_id }}"
+            },
+            "invocation": {
+              "parameters": {
+                "context": ".",
+                "dockerfile": "./Dockerfile"
+              }
+            }
+          }' > provenance.json
+          echo "Provenance file created: provenance.json"
+
+      - name: Sign Provenance with Cosign
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
         run: |
           cosign attest -y \
             --key env://COSIGN_PRIVATE_KEY \
-            --predicate sbom.json \
-            --type https://spdx.dev/spdx-specification-2-2-pdf \
+            --predicate provenance.json \
+            --type https://in-toto.io/Statement/v0.1 \
             "${IMAGE_REFERENCE}"
 
       - name: Log out from Docker Hub