Use Docker digest instead of tag to attest provenance

rancher · Feb 3, 2025 · e7d888f · e7d888f
1 parent ef12c6e
commit e7d888f
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -143,12 +143,15 @@ jobs:
           CURRENT_TAG: ${{ github.ref_name }}
         run: |
           for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${PRIME_REGISTRY}/g" | sed "s/{{ .Tag }}/${CURRENT_TAG}/g"); do
+            # Extract Docker image reference plus digest from local image
+            IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME})
+
             max_retries=3
             retry_delay=5
             i=0
 
             while [ "${i}" -lt "${max_retries}" ]; do
-                if slsactl download provenance --format=slsav1 "${IMG_NAME}" > provenance-slsav1.json; then
+                if slsactl download provenance --format=slsav1 "${IMAGE}" > provenance-slsav1.json; then
                     break
                 fi
                 if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
@@ -159,7 +162,7 @@ jobs:
                 sleep "${retry_delay}"
             done
 
-            cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMG_NAME}"
+            cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMAGE}"
           done
 
       - name: Upload charts to release