From 82b847e24642b57c31d35301d76335b211478b3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Dufour?= <clmnt.dufour@gmail.com>
Date: Sun, 1 Dec 2024 18:30:40 +0100
Subject: [PATCH] feat: update build signing step

---
 .github/workflows/build.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e961ef1..5624e4c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -71,9 +71,12 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
 
       - name: Sign image with a key
+        # https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
         run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}@${DIGEST}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${REGISTRY}/${NAME}@${DIGEST}
         env:
+          REGISTRY: ${{ env.IMAGE_REGISTRY }}
+          NAME: ${{ steps.build_image.outputs.image }}
           DIGEST: ${{ steps.push.outputs.digest }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}