use hardcoded docker image, make cosign install on release not optional

.github/workflows/github-actions-demo.yml

@@ -66,7 +66,7 @@ jobs:
       - name: Prepare Docker
         id: docker_prep
         run: |
-          DOCKER_IMAGE=${{ secrets.DOCKER_IMAGE }}
+          DOCKER_IMAGE=skifdh/test
           UNIQUE_TAG="`git describe | sed -e 's/^v//'`"
           VERSION=${GITHUB_SHA}
           if [[ $GITHUB_REF == refs/tags/* ]]; then
@@ -147,7 +147,6 @@ jobs:
           go-version: 1.17
 
       - name: Install Cosign
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
         uses: sigstore/cosign-installer@main
         with:
           cosign-release: "v1.4.0" # optional
@@ -300,7 +299,7 @@ jobs:
       - name: Generate oci artifact SBOM
         uses: anchore/sbom-action@v0
         with:
-          image: ${{ secrets.DOCKER_IMAGE }}@${{ needs.build.outputs.image_digest }}
+          image: skifdh/test@${{ needs.build.outputs.image_digest }}
           artifact-name: oci-sbom.spdx
           registry-username: ${{ secrets.DOCKER_USERNAME }}
           registry-password: ${{ secrets.DOCKER_PASSWORD }}

README.md

@@ -10,9 +10,8 @@ COSIGN_EXPERIMENTAL=1 cosign verify-blob -signature ~/Downloads/checksums.txt.si
 
 ### Fork instructions:
 
-Set following secrets in your repo:
+1. Set following secrets in your repo:
 
-- DOCKER_IMAGE (`mycollection/myapp`)
 - DOCKER_USERNAME
 - DOCKER_PASSWORD
 - COSIGN_KEY
@@ -26,8 +25,11 @@ go install github.com/sigstore/cosign/cmd/[email protected]
 
 cosign generate-key-pair
 ```
+, then copy generated key and password to github secrets
 
-Codecov step is standalone, impact only build step, and can be easily commented
+2. In `.github/workflows/github-actions-demo.yml` replace `skifdh/test` with your own docker image path.
+
+3. Codecov step is standalone, impact only build step, and can be easily commented
 
 ## Preparing before installing scss