fix: Update release.yaml

.github/workflows/release.yaml

@@ -71,10 +71,8 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Verify signature and annotations on images in Dockerfile using cosign
-        run: cosign dockerfile verify Dockerfile > /dev/null
-        env:
-          COSIGN_EXPERIMENTAL: true
-
+        run: cosign dockerfile verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github.com/radiorabe/container-image-rabe-s2i-base-minimal/.*' Dockerfile > /dev/null
+
       - name: Build Container Image
         id: docker_build
         uses: docker/build-push-action@v4
@@ -89,7 +87,9 @@ jobs:
           labels: |
             ${{ steps.meta.outputs.labels }}
             version=${{ steps.meta.outputs.version }}
-
+        env:
+          DOCKER_CONTENT_TRUST: 1
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -125,10 +125,9 @@ jobs:
           labels: |
             ${{ steps.meta.outputs.labels }}
             version=${{ steps.meta.outputs.version }}
+        env:
+          DOCKER_CONTENT_TRUST: 1
 
       - name: Sign the images with GitHub OIDC Token using cosign
-        run: cosign sign ${TAGS}
-        if: github.event_name != 'pull_request'
-        env:
-          TAGS: ${{ steps.meta.outputs.tags }}
-          COSIGN_EXPERIMENTAL: true
+        run: cosign sign --yes ghcr.io/radiorabe/python-minimal@${{ steps.docker_push.outputs.digest }}
+        if: ${{ github.event_name != 'pull_request' && startsWith(github.event.ref, 'refs/tags/v') }}