try fixup cosign

* only build main when Dockerfile changes

we don't need a new `serve` image unless one of these files has changed

try fixup action
puts debugger

* ahhhh

it is working

cosign OCI manifests which are addressed by digest are signed without
warning

Signed-off-by: Kingdon Barrett <[email protected]>

Author: Kingdon Barrett

.github/workflows/push-workflow-serve.yaml

@@ -6,6 +6,7 @@ env:
 
 on:
   push:
+    paths: [ Dockerfile, _scripts/flux-pull.sh ]
     branches: [ main ] # Configure the branchs which you want to run this workflow
 
 jobs:

.github/workflows/push-workflow-site.yaml

@@ -75,15 +75,20 @@ jobs:
       run: |
         flux push artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} --path=$BUILDDIR \
           --source="$(git config --get remote.origin.url)" \
-          --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" | tee tmp-digest.out
+          --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" 2>&1 | tee tmp-digest.out
+          # Warning: This is not stable, flux CLI output may change
+        cat tmp-digest.out
         DIGEST="$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')"
-        echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+        echo DIGEST=$DIGEST
+
+        echo "digest=$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')" >> $GITHUB_OUTPUT
+
         flux tag artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} \
           --tag testing
 
     # Sign the docs tag with cosign (keyless/experimental)
     - name: Cosign (keyless)
-      run: cosign sign $TAGS
+      run: cosign sign ${{ steps.push_html.outputs.digest }}
       env:
         TAGS: ${{ steps.push_html.outputs.digest }}
         COSIGN_EXPERIMENTAL: true