From 77aa6a72876b086d503d8ac689a1bc35fc0458b8 Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 18:12:29 +0100
Subject: [PATCH] ci(bluebuild): symlink cosign.{pub,key} to repo root for
 stage-keys COPY

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-bluebuild.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index 1dee2bf..ca8fef6 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -128,6 +128,13 @@ jobs:
           mkdir -p bluebuild
           printf '%s' "$COSIGN_PRIVATE_KEY" > bluebuild/cosign.key
           chmod 600 bluebuild/cosign.key
+          # bluebuild's generated Containerfile uses `FROM scratch as
+          # stage-keys; COPY cosign.pub /keys/`. Buildah's build context
+          # is the cwd ($PWD) — symlink the keys to repo root so COPY
+          # finds them there too.
+          ln -sf bluebuild/cosign.pub cosign.pub
+          ln -sf bluebuild/cosign.key cosign.key
+          ls -la cosign.pub cosign.key 2>&1 | head -4
 
       - name: Build OCI image with BlueBuild CLI container
         id: bluebuild