Remove no longer necessary cosign config

digitalservicebund · Apr 3, 2024 · 4c9abc9 · 4c9abc9
1 parent eb6b865
commit 4c9abc9
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 9 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -198,19 +198,13 @@ jobs:
         with:
           image_name: ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
       - name: Sign the published Docker image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
       - name: Download cosign vulnerability scan record
         uses: actions/download-artifact@v4
         with:
           name: "vuln.json"
       - name: Attest vulnerability scan
         run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
       - id: set-version
         run: echo "version=$CONTAINER_IMAGE_VERSION" >> $GITHUB_OUTPUT
       - name: Send status to Slack

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -98,8 +98,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Attest vulnerability scan
         run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
       - name: Send status to Slack
         uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0
         if: ${{ failure() && github.ref == 'refs/heads/main' }}

diff --git a/README.md b/README.md
@@ -137,7 +137,7 @@ Container images in the registry are [signed with keyless signatures](https://gi
 **To verify an image**:
 
 ```bash
-COSIGN_EXPERIMENTAL=1 cosign verify "ghcr.io/digitalservicebund/kotlin-application-template:$(git log -1 origin/main --format='%H')"
+cosign verify "ghcr.io/digitalservicebund/kotlin-application-template:$(git log -1 origin/main --format='%H')"
 ```
 
 If you need to push a new container image to the registry manually there are two ways to do this: