From 841478c5ec2c3d935d075c17e91d3051d808d4b0 Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Fri, 6 Jan 2023 09:39:49 +0100
Subject: [PATCH] ci: use explicit input to choose cosign key for OS image
 measurements

(cherry picked from commit 49288f5d30ef138c0c1cbe56e6a0e3091d3e35f3)
---
 .github/workflows/generate-measurements.yml | 14 +++++++++++---
 .github/workflows/release.yml               |  1 +
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml
index 7aab09bfe..f09b00020 100644
--- a/.github/workflows/generate-measurements.yml
+++ b/.github/workflows/generate-measurements.yml
@@ -15,6 +15,11 @@ on:
         description: "Sign and upload the measurements?"
         type: boolean
         required: true
+      isRelease:
+        description: "Is this a release?"
+        type: boolean
+        default: false
+        required: false
       ref:
         type: string
         description: "Git ref to checkout"
@@ -33,6 +38,9 @@ on:
         description: "Sign and upload the measurements?"
         type: boolean
         required: true
+      isRelease:
+        description: "Is this a release?"
+        type: boolean
       ref:
         type: string
         description: "Git ref to checkout"
@@ -286,9 +294,9 @@ jobs:
       - name: Sign measurements
         shell: bash
         env:
-          COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
+          COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
         run: |
           echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
           # Enabling experimental mode also publishes signature to Rekor
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c978cdef9..102896309 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -176,6 +176,7 @@ jobs:
       osImage: ${{ inputs.version }}
       isDebugImage: false
       signMeasurements: true
+      isRelease: true
       ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
 
   update-hardcoded-measurements: