add separate step for digest (#3321)

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

.github/workflows/reuse.yaml

@@ -132,7 +132,7 @@ jobs:
 
       - name: get image digest
         if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
-        id: get-step
+        id: get-step-image
         run: |
           echo "::set-output name=digest::$(make ${{inputs.digest_command}}-dev)"
 
@@ -143,6 +143,19 @@ jobs:
           echo "::set-output name=digest::$(make ${{inputs.digest_command}})"
 
       - name: Sign image
+        if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_REPOSITORY: "ghcr.io/kyverno/signatures"
+        run: |          
+          cosign sign \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step-image.outputs.digest }}
+
+      - name: Sign release-image
+        if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
         env:
           COSIGN_EXPERIMENTAL: "true"
           COSIGN_REPOSITORY: "ghcr.io/kyverno/signatures"