diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1d042f02..422e21d0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -65,8 +65,7 @@ jobs: name: release needs: [build] outputs: - container_digest: ${{ steps.container_info.outputs.container_digest }} - container_tags: ${{ steps.container_info.outputs.container_tags }} + container_info: ${{ steps.container_info.outputs.container_info }} container_repos: ${{ steps.container_info.outputs.container_repos }} runs-on: ubuntu-20.04 @@ -135,10 +134,20 @@ jobs: id: container_info if: startsWith(github.ref, 'refs/tags/') run: | - export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }}) - echo "::set-output name=container_digest::$CONTAINER_DIGEST" - echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" - echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" + function digest_tags { + while IFS= read -r line ; do + jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(make container-tags CONTAINER_DIGEST=$line) + done <<< "$(make manifest-digest GITHUB_REF=${{ github.ref_name }})" + } + + CONTAINER_INFO="$(digest_tags | jq --slurp . -c)" + CONTAINER_DIGEST="$(echo "$CONTAINER_INFO" | jq --raw-output '.[0].digest')" + CONTAINER_REPOS="$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" + + set | grep 'CONTAINER_' + + echo "::set-output name=container_info::$CONTAINER_INFO" + echo "::set-output name=container_repos::$CONTAINER_REPOS" - name: Logout from Container registries if: ${{ always() }} @@ -206,6 +215,7 @@ jobs: strategy: matrix: repo: ${{ fromJSON(needs.release.outputs.container_repos) }} + container: ${{ fromJSON(needs.release.outputs.container_info) }} steps: - name: Install cosign @@ -218,7 +228,7 @@ jobs: with: command: generate subcommand: container - arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} + arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }} env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -235,14 +245,14 @@ jobs: - name: Attach provenance to image run: | echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key - cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ matrix.container.digest }} env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Verify attestation run: | echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub - cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ matrix.container.digest }} - name: Logout from Container registries if: ${{ always() }}