From 4cde4fa704ad3344b984f4a41774f4e623bfc4fe Mon Sep 17 00:00:00 2001
From: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
Date: Fri, 27 Jan 2023 15:31:59 -0800
Subject: [PATCH 1/2] flagd image signing

Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
---
 .github/workflows/release-please.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index b4a67eba6..0c4217e75 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -77,6 +77,18 @@ jobs:
             COMMIT=${{ github.sha }}
             DATE=${{ steps.date.outputs.date }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v2.8.1"
+
+      - name: Sign image with a key
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY  ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.release_tag_name }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+
       - name: SBOM for latest image
         uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0
         with:

From d3057afc292098bc659297da7292d407d82a925b Mon Sep 17 00:00:00 2001
From: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
Date: Mon, 30 Jan 2023 15:04:11 -0800
Subject: [PATCH 2/2] add public key to release artefacts

Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
---
 .github/workflows/release-please.yaml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index 0c4217e75..7fdcc070a 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -7,6 +7,7 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
   DEFAULT_GO_VERSION: 1.19.3
+  PUBLIC_KEY_FILE: publicKey.pub
 
 name: Run Release Please
 jobs:
@@ -79,16 +80,20 @@ jobs:
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: "v2.8.1"
 
-      - name: Sign image with a key
+      - name: Sign the image
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY  ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.release_tag_name }}
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.release_tag_name }}
+          cosign public-key --key env://COSIGN_PRIVATE_KEY --outfile ${{ env.PUBLIC_KEY_FILE }}
         env:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
 
+      - name: Bundle release assets
+        uses: softprops/action-gh-release@v1
+        with:
+          files: ${{ env.PUBLIC_KEY_FILE }}
+
       - name: SBOM for latest image
         uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0
         with: