Add digest input to container docs #591
Conversation
| @@ -134,6 +136,7 @@ jobs: | |||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main | |||
| with: | |||
| image: ${{ needs.build.outputs.image }} | |||
| digest: ${{ needs.build.outputs.digest }} | |||
There was a problem hiding this comment.
have we decided yet if image and digest should be separate inputs or not?
Fo example, in https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml#L93, it's passed as one parameter.
There was a problem hiding this comment.
I kind of wanted to have them be separate to make it clear that only the digest is supported. I wanted to force folks to use the digest to avoid racing with something that could modify the image tag.
I could merge them into one and do some validation on the image string to make sure it includes the digest and return an error if not, but I thought that this would better UX. wdut?
There was a problem hiding this comment.
I'm not a UX expert tbh. I think it'd be fine to have a single option. So long as it's a required option and we validate it, it's fine. You may be right that it makes the hash more explicit.
We can re-visit later without blocking this PR for now.
There was a problem hiding this comment.
SG. Agreed that it might not be a nicer UX, but a more explicit one.
Fixes #543