From 2cbfd21539eb254185e29364aa6323e0f54b87bf Mon Sep 17 00:00:00 2001
From: Kurdistan Tech Ministry <info@pezkuwichain.io>
Date: Sat, 9 May 2026 13:41:29 +0300
Subject: [PATCH] fix(cosign): explicit GHCR login before sign + verify

docker/login-action writes ~/.docker/config.json but cosign on self-
hosted runner does not always read it. Add 'cosign login ghcr.io'
before sign (build-image) and verify (deploy-app, deploy-pex) so the
registry blob upload/download authenticates correctly.

The previous run signed via Sigstore (Fulcio cert + Rekor tlog entry
created) but failed at the final 'push signature blob to GHCR' step
with UNAUTHORIZED. Explicit cosign login solves this.
---
 .github/workflows/quality-gate.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
index 422e9a87..ca5ec547 100644
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -159,6 +159,9 @@ jobs:
           COSIGN_EXPERIMENTAL: '1'
         run: |
           IMAGE_DIGEST="${{ steps.meta.outputs.image }}@${{ steps.build.outputs.digest }}"
+          # cosign needs its own registry auth — docker/login-action only writes
+          # ~/.docker/config.json which cosign on self-hosted runner can't read
+          echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u "${{ github.actor }}" --password-stdin
           echo "Signing $IMAGE_DIGEST"
           cosign sign --yes "$IMAGE_DIGEST"
           echo "✅ Image signed (transparency log: rekor.sigstore.dev)"
@@ -328,8 +331,8 @@ jobs:
           COSIGN_EXPERIMENTAL: '1'
         run: |
           IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sha.outputs.sha }}"
+          echo "${{ secrets.GITHUB_TOKEN }}" | cosign login ghcr.io -u "${{ github.actor }}" --password-stdin
           echo "Verifying signature for $IMAGE"
-          # Identity = workflow that built this image (build-image job in this repo)
           cosign verify "$IMAGE" \
             --certificate-identity-regexp "^https://github.com/pezkuwichain/pwap/.github/workflows/quality-gate.yml@" \
             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \