Use digest to sign in

.github/workflows/build.yml

@@ -8,12 +8,6 @@ jobs:
   test:
     name: 🤞 Test
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
     steps:
     - name: 🛑 Cancel Previous Runs
       uses: styfle/[email protected]
@@ -57,25 +51,3 @@ jobs:
       run: make build
       env:
         VERSION: "ci-build"
-
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v1
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ secrets.PAT }}
-
-    - name: Install cosign
-      uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
-      with:
-        cosign-release: 'v2.1.1'
-
-    - name: Sign the OCI artifact
-      env:
-        COSIGNKEY: ${{ secrets.COSIGNKEY }}
-      run: |
-        echo "$COSIGNKEY" > /home/runner/work/capacitor/capacitor/cosign.key
-        # keyless mode
-        cosign sign ghcr.io/gimlet-io/capacitor-manifests:v-cosign-test2 -y
-        # private pub key
-        cosign sign --key /home/runner/work/capacitor/capacitor/cosign.key  ghcr.io/gimlet-io/capacitor-manifests:v-cosign-test2 -y

.github/workflows/publish.yml

@@ -65,6 +65,7 @@ jobs:
         username: ${{ github.repository_owner }}
         password: ${{ secrets.PAT }} # `PAT` is a secret that contains your Personal Access Token with `write:packages` scope
     - name: Build and push Gimlet image
+      id: build-and-push
       uses: docker/[email protected]
       with:
         context: .
@@ -94,4 +95,4 @@ jobs:
         COSIGNKEY: ${{ secrets.COSIGNKEY }}
       run: |
         # keyless mode
-        cosign sign ghcr.io/gimlet-io/capacitor-manifests:${{ steps.version.outputs.version }} -y
+        cosign sign ghcr.io/gimlet-io/capacitor-manifests:${{ steps.build-and-push.outputs.digest }} -y