mirror of
https://github.com/pezkuwichain/pwap.git
synced 2026-06-10 09:01:01 +00:00
pezkuwichain
2cbfd21539
docker/login-action writes ~/.docker/config.json but cosign on self- hosted runner does not always read it. Add 'cosign login ghcr.io' before sign (build-image) and verify (deploy-app, deploy-pex) so the registry blob upload/download authenticates correctly. The previous run signed via Sigstore (Fulcio cert + Rekor tlog entry created) but failed at the final 'push signature blob to GHCR' step with UNAUTHORIZED. Explicit cosign login solves this.