Fix release workflow to run on a manual trigger

[laurentsimon]

https://github.com/ossf/scorecard-action/blob/main/action.yaml#L48 we need to pin our docker.
However, there's a problem because we currently generate the docker file upon new release generation thru this workflow https://github.com/ossf/scorecard-action/blob/main/.github/workflows/docker-sign.yml

This is a chicken-and-egg problem: in order to generate the release, we need the right hash to pin the action's docker image. But to generate it, we need a release. We may need to split the problem into 2 stages:

1. Generation of docker image

• Manually edit the hash in the workflow https://github.com/ossf/scorecard-action/blob/main/.github/workflows/docker-sign.yml#L40. Get the changes committed via PR/code review.
• Generate the docker image, maybe via a workflow triggered by dispatch even that we trigger manually. This may later be automated via a workflow that looks at every push event whether the hash was edited in the previous PR.

2. Generate the release

• Pin the hash for the docker image https://github.com/ossf/scorecard-action/blob/main/action.yaml#L48 using the hash of the image from step 1. Then get the changes committed via PR/code review.
• Create a release in GitHub UX

@naveensrinivasan @azeemshaikh38 other ideas?

[laurentsimon]

this is done now. Closing

[laurentsimon]

@naveensrinivasan I now remember why this needs some update. We need to generate the action container image based on a manual GitHub trigger. It does not work on a push trigger.

Currently we generate the image at release time. However, we need the image hash to edit https://github.com/ossf/scorecard-action/blob/main/action.yaml#L45 prior to releasing. I've listed the steps necessary to release the action in #33

Does this make sense?

[laurentsimon]

Fixed by #38