ci: sign images using digest instead
diff --git a/zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/buildset-registry/run.yml
index 5593170..7f8118c 100644
--- a/zuul.d/playbooks/buildset-registry/run.yml
+++ b/zuul.d/playbooks/buildset-registry/run.yml
@@ -103,6 +103,12 @@
dest: /usr/local/bin/cosign
mode: 0755
+ - name: Determine the digest for the images
+ ansible.builtin.shell: |
+ cosign triangulate --type=digest {{ item }}
+ loop: "{{ images_built }}"
+ register: cosign_digest
+
- name: Copy the cosign public key
copy:
content: "{{ cosign_key.public }}"
@@ -112,7 +118,7 @@
ignore_errors: true
ansible.builtin.shell: |
cosign verify --key cosign.pub --output json {{ item }}
- loop: "{{ images_built }}"
+ loop: "{{ cosign_digest.results | map(attribute='stdout') | list | unique }}"
register: cosign_verify
- name: Copy the cosign private key