From 2588e510170f2c471d2f2358362ad7147ed63e3f Mon Sep 17 00:00:00 2001
From: mendhak <mendhak@users.noreply.github.com>
Date: Wed, 6 Nov 2024 22:47:13 +0000
Subject: [PATCH] Add a cosign command to release notes

---
 .github/workflows/generate-release-apk.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/generate-release-apk.yml b/.github/workflows/generate-release-apk.yml
index af25812db..46b95b24d 100644
--- a/.github/workflows/generate-release-apk.yml
+++ b/.github/workflows/generate-release-apk.yml
@@ -52,8 +52,14 @@ jobs:
         id: attest
         with:
           subject-path: gpslogger/gpslogger-*.apk
+      - name: Get APK and WORKFLOW REF
+        id: references
+        run: |
+          APK_FILE_NAME=$(find gpslogger/ -maxdepth 1 -name "gpslogger-*.apk" -print -quit | xargs basename)
+          echo "APK_FILE_NAME=$APK_FILE_NAME" >> "$GITHUB_OUTPUT"
+          echo "GITHUB_WORKFLOW_REF=$GITHUB_WORKFLOW_REF" >> "$GITHUB_OUTPUT"
       - name: Copy cosign bundle
-        run: cp ${{ steps.attest.outputs.bundle-path }} gpslogger/cosign.bundle
+        run: cp ${{ steps.attest.outputs.bundle-path }} gpslogger/${{ steps.references.outputs.APK_FILE_NAME }}.cosign.bundle
       - name: Upload
         uses: actions/upload-artifact@v4
         with:
@@ -62,13 +68,7 @@ jobs:
             gpslogger/gpslogger-*.apk
             gpslogger/gpslogger-*.apk.asc
             gpslogger/gpslogger-*.apk.SHA256
-            gpslogger/cosign.bundle
-      - name: Get APK and WORKFLOW REF
-        id: references
-        run: |
-          APK_FILE_NAME=$(find gpslogger/ -maxdepth 1 -name "gpslogger-*.apk" -print -quit | xargs basename)
-          echo "APK_FILE_NAME=$APK_FILE_NAME" >> "$GITHUB_OUTPUT"
-          echo "GITHUB_WORKFLOW_REF=$GITHUB_WORKFLOW_REF" >> "$GITHUB_OUTPUT"
+            gpslogger/gpslogger-*.cosign.bundle
       - name: Create a Release
         id: create-release
         uses: softprops/action-gh-release@v2
@@ -79,10 +79,10 @@ jobs:
           body: |
             Verification: 
             ```
-            cosign verify-blob ${{ steps.references.outputs.APK_FILE_NAME }} --bundle cosign.bundle --new-bundle-format --cert-oidc-issuer https://token.actions.githubusercontent.com --cert-identity https://github.com/${{ steps.references.outputs.GITHUB_WORKFLOW_REF }}
+            cosign verify-blob ${{ steps.references.outputs.APK_FILE_NAME }} --bundle ${{ steps.references.outputs.APK_FILE_NAME }}.cosign.bundle --new-bundle-format --cert-oidc-issuer https://token.actions.githubusercontent.com --cert-identity https://github.com/${{ steps.references.outputs.GITHUB_WORKFLOW_REF }}
             ```
           files: |
             gpslogger/gpslogger-*.apk
             gpslogger/gpslogger-*.apk.asc
             gpslogger/gpslogger-*.apk.SHA256
-            gpslogger/cosign.bundle
\ No newline at end of file
+            gpslogger/gpslogger-*.cosign.bundle
\ No newline at end of file