test

.github/workflows/push-docker.yml

@@ -5,7 +5,7 @@ on:
   push:
     branches:
       - master
-      - main
+      - docker-rename
 
 permissions:
   contents: read
@@ -85,9 +85,9 @@ jobs:
           tags: |
             type=raw,value=${{ steps.versionNumber.outputs.versionNumber }},enable=${{ github.ref == 'refs/heads/master' }}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
-            type=raw,value=alpha,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=alpha,enable=${{ github.ref == 'refs/heads/docker-rename' }}
 
-      - name: Build and push main Dockerfile
+      - name: Build and push docker-rename Dockerfile
         id: build-push-regular
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
@@ -108,33 +108,33 @@ jobs:
         env:
           DIGEST: ${{ steps.build-push-regular.outputs.digest }}
           TAGS: ${{ steps.meta.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           # Always sign images regardless of branch
           echo "$TAGS" | tr ',' '\n' | while read -r tag; do
             cosign sign --yes \
-              --identity-token ${ACTIONS_ID_TOKEN_REQUEST_TOKEN} \
-                            --force \
+              --key env://COSIGN_PRIVATE_KEY \
               "${tag}@${DIGEST}"
           done
-      
-          # For alpha builds specifically
-          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+          
+          # For alpha builds specifically, we want to ensure they're marked as development builds
+          if [[ "${{ github.ref }}" == "refs/heads/docker-rename" ]]; then
             echo "Signing alpha build with development attestation"
             echo "$TAGS" | tr ',' '\n' | while read -r tag; do
               if [[ $tag == *":alpha" ]]; then
-                cosign attest --yes \
-                  --identity-token ${ACTIONS_ID_TOKEN_REQUEST_TOKEN} \
-                  --force \
+                cosign attest --key env://COSIGN_PRIVATE_KEY \
                   --predicate <(echo '{"type":"development"}') \
-                  "${tag}@${DIGEST}"
+                  --yes "${tag}@${DIGEST}"
               fi
             done
           fi
 
+
       - name: Generate tags ultra-lite
         id: meta2
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
-        if: github.ref != 'refs/heads/main'
+        if: github.ref != 'refs/heads/docker-rename'
         with:
           images: |
             ${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf
@@ -148,7 +148,7 @@ jobs:
       - name: Build and push Dockerfile-ultra-lite
         id: build-push-lite
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
-        if: github.ref != 'refs/heads/main'
+        if: github.ref != 'refs/heads/docker-rename'
         with:
           context: .
           file: ./Dockerfile.ultra-lite
@@ -163,19 +163,21 @@ jobs:
           sbom: true
 
       - name: Sign ultra-lite images
-        if: github.ref != 'refs/heads/main'
+        if: github.ref != 'refs/heads/docker-rename'
         env:
           DIGEST: ${{ steps.build-push-lite.outputs.digest }}
           TAGS: ${{ steps.meta2.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           echo "$TAGS" | tr ',' '\n' | while read -r tag; do
-            cosign sign --yes "${tag}@${DIGEST}"
+            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
           done
 
       - name: Generate tags fat
         id: meta3
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
-        if: github.ref != 'refs/heads/main'
+        if: github.ref != 'refs/heads/docker-rename'
         with:
           images: |
             ${{ secrets.DOCKER_HUB_USERNAME }}/s-pdf
@@ -186,10 +188,10 @@ jobs:
             type=raw,value=${{ steps.versionNumber.outputs.versionNumber }}-fat,enable=${{ github.ref == 'refs/heads/master' }}
             type=raw,value=latest-fat,enable=${{ github.ref == 'refs/heads/master' }}
 
-      - name: Build and push main Dockerfile fat
+      - name: Build and push docker-rename Dockerfile fat
         id: build-push-fat
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
-        if: github.ref != 'refs/heads/main'
+        if: github.ref != 'refs/heads/docker-rename'
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: .
@@ -205,11 +207,13 @@ jobs:
           sbom: true
 
       - name: Sign fat images
-        if: github.ref != 'refs/heads/main'
+        if: github.ref != 'refs/heads/docker-rename'
         env:
           DIGEST: ${{ steps.build-push-fat.outputs.digest }}
           TAGS: ${{ steps.meta3.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           echo "$TAGS" | tr ',' '\n' | while read -r tag; do
-            cosign sign --yes "${tag}@${DIGEST}"
+            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}"
           done