allow to pass a list of docker images to attest

[caarlos0]

Hey!

So, I was thinking it would make things a lot easier if we could do this:

      - uses: actions/attest-build-provenance@v2
        id: attest
        with:
          subject-images: |
             registry/image:tag@digest
             registry/image2:tag@digest
             another-registry/image2:tag@digest
          push-to-registry: true

The list could then be built on-the-fly if you're using, for example, GoReleaser:

      - run: |
          jq -r '.[] | select(.type | startswith("Published Docker")) | .name + "@" + .extra.Digest' ./dist/artifacts.json >./dist/docker-images
          echo "IMAGES=$(cat ./dist/docker-images)" >> $GITHUB_OUTPUT
      - uses: actions/attest-build-provenance@v2
        id: attest
        with:
          subject-images: |
            ${{ IMAGES }}
          push-to-registry: true

I think this would make an awesome addition, and would make attestation as lot easier as well.

---

For disclosure: I'm the author of GoReleaser.

[caarlos0]

PS: if this is something you're interested in, I'm happy to try and contribute it, and/or test it :)

[bdehamer]

@caarlos0 this is definitely something we're looking at. There have been multiple requests to support attestation of multiple images at once. There is some internal plumbing that needs to be tackled in order to make this work properly with the push-to-registry option since we'd need to upload and associate the attestation with each image in the registry.

I recently added support for identifying subjects with a checksums file (which was actually done in response to a request for better GoReleaser integration). If you are NOT using the push-to-registry option you could leverage the subject-checksum param to do multi-image attestations by constructing a checksums file with entries for each image:

1b7caf2e76ba0b...  ghcr.io/bdehamer/attest-demo:0.0.4-arm64v8
8a66a216f91a30...  ghcr.io/bdehamer/attest-demo:0.0.4-amd64

[caarlos0]

Hmmm interesting, I'll experiment with that as well!

I saw the checksums option, it's awesome! Thanks for that 🙏

[GIgako19929]

• [ ]

[avo-sepp]

I want to add that if this worked cleanly with the outputs from the docker-bake-action it would be excellent. Docker bake + the Docker Metadata Action is a very clean way to generate a bunch of different tags at once.

I’m going to double check the output from that, I think we get a json where the digests would be parsed out.