From e43d94ef9b1c016a0d23d13d67db7339dfb1a02c Mon Sep 17 00:00:00 2001
From: Dmitry Smirnov <dmitry.smirnov@transactcampus.com>
Date: Thu, 5 Dec 2024 19:18:39 +0200
Subject: [PATCH] test release

---
 .github/workflows/release.yml | 65 +++++++++++++++++++++++++----------
 1 file changed, 46 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 06480f03..d270f08f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,22 +68,22 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.7.0
 
-      - name: Sign Docker Image with Cosign
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
-        run: |
-          cosign sign -y \
-            --key env://COSIGN_PRIVATE_KEY \
-            "${IMAGE_REFERENCE}"
-
-      - name: Verify Cosign Signature
-        env:
-          IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
-        run: |
-          cosign verify \
-            --key ci/pub.keys/cosign.pub \
-            "${IMAGE_REFERENCE}"
+      # - name: Sign Docker Image with Cosign
+      #   env:
+      #     COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      #     IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+      #   run: |
+      #     cosign sign -y \
+      #       --key env://COSIGN_PRIVATE_KEY \
+      #       "${IMAGE_REFERENCE}"
+
+      # - name: Verify Cosign Signature
+      #   env:
+      #     IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+      #   run: |
+      #     cosign verify \
+      #       --key ci/pub.keys/cosign.pub \
+      #       "${IMAGE_REFERENCE}"
 
       - name: Install Trivy
         run: |
@@ -122,15 +122,42 @@ jobs:
           name: sbom
           path: sbom.json
 
-      - name: Sign SBOM with Cosign
+      # - name: Sign SBOM with Cosign
+      #   env:
+      #     COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      #     IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+      #   run: |
+      #     cosign attest -y \
+      #       --key env://COSIGN_PRIVATE_KEY \
+      #       --predicate sbom.json \
+      #       --type https://spdx.dev/spdx-specification-2-2-pdf \
+      #       "${IMAGE_REFERENCE}"
+
+      - name: Generate Provenance
+        run: |
+          echo '{
+            "buildType": "https://mobyproject.org/buildkit@v1",
+            "builder": {
+              "id": "https://github.com/usabilitydynamics/udx-worker/actions/runs/${{ github.run_id }}"
+            },
+            "invocation": {
+              "parameters": {
+                "context": ".",
+                "dockerfile": "./Dockerfile"
+              }
+            }
+          }' > provenance.json
+          echo "Provenance file created: provenance.json"
+
+      - name: Sign Provenance with Cosign
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
         run: |
           cosign attest -y \
             --key env://COSIGN_PRIVATE_KEY \
-            --predicate sbom.json \
-            --type https://spdx.dev/spdx-specification-2-2-pdf \
+            --predicate provenance.json \
+            --type https://in-toto.io/Statement/v0.1 \
             "${IMAGE_REFERENCE}"
 
       - name: Log out from Docker Hub