From 29850298f2749c146d647ee27e570074747d9a70 Mon Sep 17 00:00:00 2001
From: Opeyemi <Alaoopeyemi101@gmail.com>
Date: Thu, 20 Mar 2025 14:10:16 +0000
Subject: [PATCH] Reduce token scope, install cosign for release, minor fixes
 (#359)

---
 .github/workflows/release.yml         | 17 +++++++++++------
 .github/workflows/update-versions.yml |  5 +++--
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0689229..4a4cfde 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -144,7 +144,7 @@ jobs:
           draft: false
 
 
-  release-version:
+  release-s3:
     name: Upload version.json
     runs-on: ubuntu-24.04
     needs:
@@ -183,8 +183,8 @@ jobs:
           --quiet
 
 
-  tag-docker-latest:
-    name: Tag ${{ matrix.project_name }} image with release version and latest
+  tag-push-latest-images:
+    name: Tag and push ${{ matrix.project_name }} image with release version and latest
     runs-on: ubuntu-24.04
     needs:
       - setup
@@ -254,7 +254,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Pull versioned image
         run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG
 
@@ -316,6 +316,9 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+
       - name: Push version and latest image
         if: ${{ inputs.release_type != 'Dry Run' }}
         run: |
@@ -324,12 +327,12 @@ jobs:
           skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:$_RELEASE_VERSION
           skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:beta # TODO: Delete after GA
           # skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:latest # TODO: uncomment after GA
-      
+
       - name: Sign image with Cosign
         run: |
           cosign sign --yes ghcr.io/bitwarden/self-host:$_RELEASE_TAG
           cosign sign --yes ghcr.io/bitwarden/self-host:latest
-      
+
       - name: Verify the signed image with Cosign
         run: |
           cosign verify \
@@ -384,6 +387,8 @@ jobs:
     needs:
       - setup
       - release
+      - tag-push-latest-images
+      - release-unified
     steps:
       - name: Generate GH App token
         uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
diff --git a/.github/workflows/update-versions.yml b/.github/workflows/update-versions.yml
index 8f42b53..36db878 100644
--- a/.github/workflows/update-versions.yml
+++ b/.github/workflows/update-versions.yml
@@ -104,13 +104,14 @@ jobs:
           app-id: ${{ secrets.BW_GHAPP_ID }}
           private-key: ${{ secrets.BW_GHAPP_KEY }}
           owner: ${{ github.repository_owner }}
-      
+          repository: ${{ github.repository }}
+
       - name: Checkout Branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
           token: ${{ steps.app-token.outputs.token }}
-      
+
       - name: Configure Git
         run: |
           git config --local user.email "actions@github.com"