From 631d363749b04105de025c67a0e17e3da2534b51 Mon Sep 17 00:00:00 2001
From: Will Norris <will@tailscale.com>
Date: Tue, 6 Dec 2022 08:53:06 -0800
Subject: [PATCH] docker: cosign sign tags rather than digest

---
 .github/workflows/docker.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index bf2c40c..255d26c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -46,7 +46,7 @@ jobs:
       uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
       with:
         context: .
-        push: ${{ github.event_name != 'pull_request' }}
+        push: ${{ github.event_name == 'push' }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -58,5 +58,6 @@ jobs:
     - name: Sign the published Docker image
       if: github.event_name == 'push'
       env:
+        TAGS: ${{ steps.meta.outputs.tags }}
         COSIGN_EXPERIMENTAL: "true"
-      run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+      run: cosign sign ${TAGS}