Bump sigstore/cosign-installer from 3.3.0 to 3.6.0 (#211) #108

	name: build-push

	on:
	push:
	branches:
	- main
	workflow_dispatch:

	# permission can be added at job level or workflows level
	permissions:
	id-token: write # This is required for requesting the JWT
	contents: read # This is required for actions/checkout
	packages: write # push to GHCR

	jobs:
	build:
	name: build
	runs-on: ubuntu-latest
	strategy:
	matrix:
	image:
	- aws-auth
	- github-issue-opener
	- image-copy-ecr
	- image-copy-gcp
	- image-diff
	- jira-issue-opener
	- slack-webhook
	- tag-history

	steps:
	- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
	- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
	with:
	go-version-file: ${{ matrix.image }}/go.mod

	- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.0.2
	- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6

	- env:
	KO_DOCKER_REPO: ghcr.io/chainguard-dev/${{matrix.image}}
	COSIGN_YES: true
	working-directory: ${{ matrix.image }}
	run: \|
	ko build --image-refs=ko.images --bare .
	echo "ko build $(cat ko.images)"
	echo "Signing $(cat ko.images)"
	cosign sign "$(cat ko.images)"

	cosign download sbom "$(cat ko.images)" --output-file bom.spdx.json
	cosign attest --timeout=0 --type spdxjson --predicate bom.spdx.json "$(cat ko.images)"
	cosign verify-attestation --type spdxjson \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
	--certificate-identity "https://github.com/chainguard-dev/platform-examples/.github/workflows/build-push.yaml@refs/heads/main" \
	"$(cat ko.images)"

Provide feedback