Run cosign only for published branches (#329)

* Run cosign when not a workflow call * Also make sure it's not a PR * Apply suggestions * Only run during workflow call * Use published branches
1 year ago · 876a966a04
1 changed files with 2 additions and 2 deletions
--- a/.github/workflows/build-unified.yml
+++ b/.github/workflows/build-unified.yml
@ -166,11 +166,11 @@ jobs:
				@@ -166,11 +166,11 @@ jobs:
            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

      - name: Install Cosign
-        if: inputs.is_workflow_call == true && github.ref == 'refs/heads/main'
+        if: env.is_publish_branch == 'true'
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Sign image with Cosign
-        if: inputs.is_workflow_call == true && github.ref == 'refs/heads/main'
+        if: env.is_publish_branch == 'true'
        env:
          DIGEST: ${{ steps.build-docker.outputs.digest }}
          TAGS: ${{ steps.tag-list.outputs.tags }}