From 14513f081433162b28b8e85d71c207766f6fc5e0 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 18 Jan 2022 14:05:41 +0100 Subject: [PATCH] Update ci workflow for provenance on multi platform containers Signed-off-by: Marco Franssen --- .github/workflows/ci.yaml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index df5a7bfa..a132134d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -65,8 +65,7 @@ jobs: name: release needs: [build] outputs: - container_digest: ${{ steps.container_info.outputs.container_digest }} - container_tags: ${{ steps.container_info.outputs.container_tags }} + container_info: ${{ steps.container_info.outputs.container_info }} container_repos: ${{ steps.container_info.outputs.container_repos }} runs-on: ubuntu-20.04 @@ -135,10 +134,20 @@ jobs: id: container_info if: startsWith(github.ref, 'refs/tags/') run: | - export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }}) - echo "::set-output name=container_digest::$CONTAINER_DIGEST" - echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" - echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" + function digest_tags { + while IFS= read -r line ; do + jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(make container-tags CONTAINER_DIGEST=$line) + done <<< "$(make manifest-digest GITHUB_REF=${{ github.ref_name }})" + } + + CONTAINER_INFO="$(digest_tags | jq --slurp . -c)" + CONTAINER_DIGEST="$(echo "$CONTAINER_INFO" | jq --raw-output '.[0].digest')" + CONTAINER_REPOS="$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" + + set | grep 'CONTAINER_' + + echo "::set-output name=container_info::$CONTAINER_INFO" + echo "::set-output name=container_repos::$CONTAINER_REPOS" - name: Logout from Container registries if: ${{ always() }} @@ -247,6 +256,7 @@ jobs: strategy: matrix: repo: ${{ fromJSON(needs.release.outputs.container_repos) }} + container: ${{ fromJSON(needs.release.outputs.container_info) }} steps: - name: Install cosign @@ -259,7 +269,7 @@ jobs: with: command: generate subcommand: container - arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} + arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }} env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -276,14 +286,14 @@ jobs: - name: Attach provenance to image run: | echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key - cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ matrix.container.digest }} env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Verify attestation run: | echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub - cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ matrix.container.digest }} - name: Logout from Container registries if: ${{ always() }}