From 1696915502815ed23d26fb05fd3a81de3416d874 Mon Sep 17 00:00:00 2001
From: RJ Trujillo <eyecantcu@pm.me>
Date: Mon, 18 Dec 2023 12:30:46 -0700
Subject: [PATCH] fix(actions): Pass registry token and GitHub token when
 signing

---
 .github/workflows/test-actions.yml |  2 ++
 README.md                          |  6 ++++--
 sign/action.yml                    | 11 ++++++++---
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
index 534fb8f..527f998 100644
--- a/.github/workflows/test-actions.yml
+++ b/.github/workflows/test-actions.yml
@@ -122,6 +122,8 @@ jobs:
         with:
           container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           registry: ghcr.io
+          registry-token: ${{ secrets.GITHUB_TOKEN }}
+          signing-secret: ${{ secrets.SIGNING_SECRET }}
           tags: ${{ steps.push.outputs.digest }}
 
       - name: Verify image
diff --git a/README.md b/README.md
index 9c208af..9148867 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ These actions exist to further automate the usage of sigstore's 'cosign'.
 
 The 'sign' action signs the target container using a private key stored as a repository secret. The secret must be named `SIGNING_SECRET`. It is the private key generated by 'cosign' when creating a key pair.
 
-Example implementation:
+Example implementation for GHCR:
 
 ```yaml
 jobs:
@@ -24,6 +24,8 @@ jobs:
         with:
           container: ghcr.io/ublue-os/silverblue-main
           registry: ghcr.io
+          registry-token: ${{ secrets.GITHUB_TOKEN }}
+          signing-secret: ${{ secrets.SIGNING_SECRET }}
           tags: latest
 ```
 
@@ -31,7 +33,7 @@ jobs:
 
 The 'verify' action validates the target container's signature via the public key. For example, for Universal Blue, this is the `cosign.pub` file stored in the root of all image repositories.
 
-Example implementation:
+Example implementation for GHCR:
 
 ```yaml
 jobs:
diff --git a/sign/action.yml b/sign/action.yml
index c47580c..0703b15 100644
--- a/sign/action.yml
+++ b/sign/action.yml
@@ -8,6 +8,12 @@ inputs:
   registry:
     description: 'Registry hosting the target container'
     required: true
+  registry-token:
+    description: 'Password for container registry'
+    required: true
+  signing-secret:
+    description: 'Private key used to sign target container.'
+    required: true
   tags:
     description: 'Tags used by target container'
     required: true
@@ -19,7 +25,7 @@ runs:
       with:
         registry: ${{ inputs.registry }}
         username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        password: ${{ inputs.registry-token }}
 
     # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
     # https://github.com/macbre/push-to-ghcr/issues/12
@@ -34,8 +40,7 @@ runs:
 
     - name: Sign container image
       run: |
-        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ inputs.container }}@${TAGS}
+        cosign sign -y --key ${{ inputs.signing-secret }} ${{ inputs.container }}@${TAGS}
       env:
         COSIGN_EXPERIMENTAL: false
-        COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
         TAGS: ${{ inputs.tags }}