debug pipeline

fkie-cad · Dec 17, 2024 · b46fe94 · b46fe94
1 parent 6cd0bc7
commit b46fe94
Showing 1 changed file with 15 additions and 10 deletions.
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -20,8 +20,6 @@ jobs:
         python-version: [ "3.10", "3.11", "3.12" ]
 
     steps:
-
-
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -55,18 +53,25 @@ jobs:
           build-args: |
             LOGPREP_VERSION=${{ inputs.build-version }}
             PYTHON_VERSION=${{ matrix.python-version }}
-          tags: "${{ steps.image-tag.outputs.tags }}, ghcr.io/fkie-cad/logprep:local"
+          tags: ${{ steps.image-tag.outputs.tags }}
 
-      - name: List Docker imagers
+      - name: Extract image ID from sha256
+        id: imageid
         run: |
-          docker images --digests
+          python - <<EOF
+          import os
+          digest = "${{ steps.build-and-push.outputs.ImageID }}"
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
+              file.write(f"imageid={digest.split(':')[1]")
+          EOF
 
       - name: Ensure logprep is available in image
         run: |
-          docker run --rm ghcr.io/fkie-cad/logprep:local --version
+          docker run --rm ${{ steps.imageid.outputs.imageid }} --version
 
       - name: Push image
         uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           context: .
           push: true
@@ -83,14 +88,14 @@ jobs:
       - name: Create SBOM of container image
         uses: anchore/sbom-action@v0
         with:
-          image: ghcr.io/fkie-cad/logprep:local
+          image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
           artifact-name: logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json
           output-file: logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json
 
       - name: Sign image with a key and add sbom attestation
         run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:local
-          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep:local
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.build-and-push.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -114,7 +119,7 @@ jobs:
           TRIVY_CACHE_DIR: ./cache
         with:
           scan-type: image
-          image-ref: ghcr.io/fkie-cad/logprep:local
+          image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
           trivy-config: trivy.yaml
 
       # Trivy-db uses `0600` permissions.