diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b0027f40..b4a183d5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -65,8 +65,7 @@ jobs: name: release needs: [build] outputs: - container_digest: ${{ steps.container_info.outputs.container_digest }} - container_tags: ${{ steps.container_info.outputs.container_tags }} + container_info: ${{ steps.container_info.outputs.container_info }} container_repos: ${{ steps.container_info.outputs.container_repos }} runs-on: ubuntu-20.04 @@ -132,10 +131,20 @@ jobs: id: container_info if: startsWith(github.ref, 'refs/tags/') run: | - export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }}) - echo "::set-output name=container_digest::$CONTAINER_DIGEST" - echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" - echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" + function digest_tags { + while IFS= read -r line ; do + jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(make container-tags CONTAINER_DIGEST=$line) + done <<< "$(make manifest-digest GITHUB_REF=${{ github.ref_name }})" + } + + CONTAINER_INFO="$(digest_tags | jq --slurp . -c)" + CONTAINER_DIGEST="$(echo "$CONTAINER_INFO" | jq --raw-output '.[0].digest')" + CONTAINER_REPOS="$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" + + set | grep 'CONTAINER_' + + echo "::set-output name=container_info::$CONTAINER_INFO" + echo "::set-output name=container_repos::$CONTAINER_REPOS" - name: Logout from Container registries if: ${{ always() }} @@ -156,6 +165,7 @@ jobs: strategy: matrix: repo: ${{ fromJSON(needs.release.outputs.container_repos) }} + container: ${{ fromJSON(needs.release.outputs.container_info) }} steps: - name: Install cosign @@ -168,7 +178,7 @@ jobs: with: command: generate subcommand: container - arguments: --repository ${{ matrix.repo }} --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} + arguments: --repository ${{ matrix.repo }} --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }} env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -185,14 +195,14 @@ jobs: - name: Attach provenance to image run: | echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key - cosign attest --predicate provenance-predicate.json --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign attest --predicate provenance-predicate.json --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ matrix.container.digest }} env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Verify attestation run: | echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub - cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ matrix.container.digest }} - name: Logout from Container registries if: ${{ always() }}