From 4c9abc9ae5f7c2833646414f1e1bcf9f80cebad5 Mon Sep 17 00:00:00 2001
From: Klaus Hartl <klaus.hartl@digitalservice.bund.de>
Date: Wed, 3 Apr 2024 13:15:33 +0200
Subject: [PATCH] Remove no longer necessary cosign config

---
 .github/workflows/pipeline.yml | 6 ------
 .github/workflows/scan.yml     | 2 --
 README.md                      | 2 +-
 3 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index e9f30c8..915b12a 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -198,10 +198,6 @@ jobs:
         with:
           image_name: ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
       - name: Sign the published Docker image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
       - name: Download cosign vulnerability scan record
         uses: actions/download-artifact@v4
@@ -209,8 +205,6 @@ jobs:
           name: "vuln.json"
       - name: Attest vulnerability scan
         run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
       - id: set-version
         run: echo "version=$CONTAINER_IMAGE_VERSION" >> $GITHUB_OUTPUT
       - name: Send status to Slack
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 61a5b98..bf0fd29 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -98,8 +98,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Attest vulnerability scan
         run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
       - name: Send status to Slack
         uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
diff --git a/README.md b/README.md
index d0589c9..d1a1384 100644
--- a/README.md
+++ b/README.md
@@ -137,7 +137,7 @@ Container images in the registry are [signed with keyless signatures](https://gi
 **To verify an image**:
 
 ```bash
-COSIGN_EXPERIMENTAL=1 cosign verify "ghcr.io/digitalservicebund/kotlin-application-template:$(git log -1 origin/main --format='%H')"
+cosign verify "ghcr.io/digitalservicebund/kotlin-application-template:$(git log -1 origin/main --format='%H')"
 ```
 
 If you need to push a new container image to the registry manually there are two ways to do this: