Get container variables for provenance in workflow

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Dec 22, 2021 · 1489f06 · 1489f06
1 parent cc02d63
commit 1489f06
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -64,7 +64,10 @@ jobs:
     name: release
     needs: [build]
     outputs:
-      container_digest: ${{ steps.container_digest.outputs.container_digest }}
+      container_digest: ${{ steps.container_info.outputs.container_digest }}
+      container_tags: ${{ steps.container_info.outputs.container_tags }}
+      container_repos: ${{ steps.container_info.outputs.container_repos }}
+
     runs-on: ubuntu-20.04
 
     steps:
@@ -107,10 +110,13 @@ jobs:
           LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
           GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
 
-      - name: Get container digest
-        id: container_digest
+      - name: Get container info
+        id: container_info
         if: startsWith(github.ref, 'refs/tags/')
-        run: echo "::set-output name=container_digest::$(make container-digest GITHUB_REF=${GITHUB_REF})"
+        run: |
+          echo "::set-output name=container_digest::$(make container-digest GITHUB_REF=${{ github.ref_name }})"
+          echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST=${{ steps.container_info.outputs.container_digest }})"
+          echo "::set-output name=container_repos::$(echo "[$(make container-repos GITHUB_REF=${GITHUB_REF} | paste -s -d ',' -)]")"
 
       - name: Logout from Container registries
         if: ${{ always() }}

diff --git a/Makefile b/Makefile
@@ -128,5 +128,14 @@ gh-release: ## Creates a new release by creating a new tag and pushing it
 .PHONY: container-digest
 container-digest: ## retrieves the container digest from the given tag
 	@:$(call check_defined, GITHUB_REF)
-	@docker inspect $(HUB_REPO):$(subst refs/tags/,,$(GITHUB_REF)) --format '{{ index .RepoDigests 0 }}' | cut -d '@' -f 2
+	@docker inspect $(GHCR_REPO):$(subst refs/tags/,,$(GITHUB_REF)) --format '{{ index .RepoDigests 0 }}' | cut -d '@' -f 2
 
+.PHONY: container-tags
+container-tags: ## retrieves the container tags applied to the image with a given digest
+	@:$(call check_defined, CONTAINER_DIGEST)
+	@docker inspect ghcr.io/philips-labs/slsa-provenance@$(CONTAINER_DIGEST) --format '{{ join .RepoTags "\n" }}' | sed 's/.*://' | awk '!_[$$0]++'
+
+.PHONY: container-repos
+container-repos: ## retrieves the container tags applied to the image with a given digest
+	@:$(call check_defined, CONTAINER_DIGEST)
+	@docker inspect ghcr.io/philips-labs/slsa-provenance@$(CONTAINER_DIGEST) --format '{{ join .RepoTags "\n" }}' | sed 's/:.*//' | awk '!_[$$0]++'